QRadar 70 AdminGuide

QRadar Administration Guide
Release 7.0
October 2010
DO18102010-B
http://www.q1labs.com
Q1 Labs Inc.
890 Winter Street
Suite 230
Waltham, MA 02451 USA
Copyright © 2010 Q1 Labs, Inc. All rights reserved. Q1 Labs, the Q1 Labs logo, Total Security Intelligence, and QRadar are trademarks or
registered trademarks of Q1 Labs, Inc. All other company or product names mentioned may be trademarks or registered trademarks of their
respective holders. The specifications and information contained herein are subject to change without notice.
This Software, and all of the manuals and other written materials provided with the Software, is the property of Q1 Labs Inc. These rights are valid
and protected in all media now existing or later developed, and use of the Software shall be governed and constrained by applicable U.S.
copyright laws and international treaties. Unauthorized use of this Software will result in severe civil and criminal penalties, and will be prosecuted
to the maximum extent under law.
Except as set forth in this Manual, users may not modify, adapt, translate, exhibit, publish, transmit, participate in the transfer or sale of,
reproduce, create derivative works from, perform, display, reverse engineer, decompile or dissemble, or in any way exploit, the Software, in whole
or in part. Unless explicitly provided to the contrary in this Manual, users may not remove, alter, or obscure in any way any proprietary rights
notices (including copyright notices) of the Software or accompanying materials. Q1 Labs Inc. reserves the right to revise this documentation and
to make changes in content from time to time without obligation on the part of Q1 Labs Inc. to provide notification of such revision or change. Q1
Labs Inc. provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to,
the implied warranties, terms, or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. Specifications of the
Software are subject to change without notice.
CONTENTS
ABOUT THIS GUIDE

Audience 1
Conventions 1
Technical Documentation 1
Contacting Customer Support 2
1 OVERVIEW
About the Interface 3
Using the Interface 4
Deploying Changes 5
Updating User Details 5
Resetting SIM 5
About High Availability 6
Monitoring QRadar Systems with SNMP 7
2 MANAGING USERS
Managing Roles 9
Viewing Roles 9
Creating a Role 10
Editing a Role 15
Deleting a Role 16
Managing User Accounts 16
Creating a User Account 16
Editing a User Account 18
Disabling a User Account 19
Authenticating Users 19
3 MANAGING THE SYSTEM

Managing Your License Keys 23
Updating your License Key 24
Exporting Your License Key Information 25
Restarting a System 26
Shutting Down a System 26
Configuring Access Settings 27
Configuring Firewall Access 27
Updating Your Host Set-up 29
Configuring Interface Roles 30
Changing Passwords 31
Updating System Time 32
4 MANAGING HIGH AVAILABILITY

Before You Begin 38
HA Deployment Overview 39
HA Clustering 39
Data Storage Strategies 40
Failovers 41
Adding an HA Cluster 42
Editing an HA Cluster 48
Removing an HA Host 50
Setting an HA Host Offline 51
Setting an HA Host Online 51
Restoring a Failed Host 51
5 SETTING UP QRADAR
Creating Your Network Hierarchy 53
Considerations 53
Defining Your Network Hierarchy 54
Scheduling Automatic Updates 58
Updating Your Files On-Demand 62
Configuring System Settings 63
Configuring System Notifications 70
Configuring the Console Settings 72
6 MANAGING AUTHORIZED SERVICES

Viewing Authorized Services 77
Adding an Authorized Service 78
Revoking Authorized Services 79
Configuring the Customer Support Service 79
Dismissing an Offense 79
Closing an Offense 80
Adding Notes to an Offense 80
7 MANAGING BACKUP AND RECOVERY

Managing Backup Archives 81
Viewing Backup Archives 81
Importing an Archive 82
Deleting a Backup Archive 83
Backing Up Your Information 84
Scheduling Your Backup 84
Initiating a Backup 87
Restoring Your Configuration Information 88
Restoring on a System with the Same IP Address 88
Restoring to a System with a Different IP Address 90
8 USING THE DEPLOYMENT EDITOR

About the Deployment Editor 94
Accessing the Deployment Editor 95
Using the Editor 95
Building Your Deployment 97
Before you Begin 97
Viewing Deployment Editor Preferences 98
Building Your Event View 98
Adding Components 100
Connecting Components 102
Forwarding Normalized Events and Flows 104
Renaming Components 107
Managing Your System View 108
Setting Up Managed Hosts 108
Using NAT with QRadar 114
Configuring a Managed Host 118
Assigning a Component to a Host 119
Configuring Host Context 120
Configuring an Accumulator 123
Configuring QRadar Components 124
Configuring a QFlow Collector 124
Configuring an Event Collector 130
Configuring an Event Processor 132
Configuring the Magistrate 135
Configuring an Off-site Source 135
Configuring an Off-site Target 136
9 MANAGING FLOW SOURCES

About Flow Sources 139
NetFlow 140
sFlow 141
J-Flow 141
Packeteer 141
Flowlog File 142
Napatech Interface 142
Managing Flow Sources 142
Adding a Flow Source 142
Editing a Flow Source 145
Enabling/Disabling a Flow Source 146
Deleting a Flow Source 147
Managing Flow Source Aliases 147
Adding a Flow Source Alias 148
Editing a Flow Source Alias 148
Deleting a Flow Source Alias 149
10 CONFIGURING REMOTE NETWORKS AND SERVICES
Managing Remote Networks 151
Default Remote Network Groups 152
Adding a Remote Networks Object 152
Editing a Remote Networks Object 153
Managing Remote Services 155
Default Remote Service Groups 155
Adding a Remote Services Object 156
Editing a Remote Services Object 157
Using Best Practices 159
11 CONFIGURING RULES
Viewing Rules 162
Creating a Custom Rule 165
Creating an Anomaly Detection Rule 176
Managing Rules 185
Enabling/Disabling Rules 186
Editing a Rule 186
Copying a Rule 186
Deleting a Rule 187
Grouping Rules 187
Viewing Groups 188
Creating a Group 188
Editing a Group 189
Copying an Item to Another Group(s) 190
Deleting an Item from a Group 192
Assigning an Item to a Group 192
Editing Building Blocks 192
12 DISCOVERING SERVERS
13 FORWARDING SYSLOG DATA

Adding a Syslog Destination 197
Editing a Syslog Destination 198
Delete a Syslog Destination 199
A Q1 LABS MIB
B ENTERPRISE TEMPLATE
Default Rules 213
Default Building Blocks 232
C RULE TESTS
Event Rule Tests 267
Host Profile Tests 268
IP/Port Tests 270
Event Property Tests 271
Common Property Tests 274
Log Source Tests 275
Function - Sequence Tests 276
Function - Counter Tests 285
Function - Simple Tests 289
Date/Time Tests 289
Network Property Tests 289
Function - Negative Tests 290
Flow Rule Tests 291
IP/Port Tests 293
Flow Property Tests 294
Function - Sequence Tests 302
Function - Counters Tests 310
Date/Time Tests 314
Function - Negative Tests 316
Common Rule Tests 316
IP/Port Tests 319
Functions - Sequence Tests 323
Function - Counter Tests 331
Date/Time Tests 335
Functions Negative Tests 337
Offense Rule Tests 337
IP/Port Tests 338
Function Tests 338
Date/Time Tests 338
Log Source Tests 339
Offense Property Tests 339
Anomaly Detection Rule Tests 343
Anomaly Rule Tests 343
Behavioral Rule Tests 345
Threshold Rule Tests 347
D VIEWING AUDIT LOGS

Logged Actions 349
Viewing the Log File 353
E EVENT CATEGORIES
High-Level Event Categories 356
Recon 357
DoS 358
Authentication 360
Access 366
Exploit 368
Malware 369
Suspicious Activity 370
System 373
Policy 377
CRE 378
Potential Exploit 378
SIM Audit 379
VIS Host Discovery 380
Application 380
Audit 401
Risk 402
F CONFIGURING FLOW FORWARDING FROM PRE-7.0 OFF-SITE FLOW

SOURCES
Configuring Flow Forwarding from pre-7.0 Off-site Flow Sources 405
Adding a QRadar 7.0 Off-Site Target to a Pre-7.0 Off-Site Flow Source 405
Creating a Pre-7.0 0ff-Site Flow Source 407
Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources 409
Removing the Pre-7.0 Off-Site Flow Source 409
Reconnecting the Off-site Target 409
Adding the Off-site Source 410
INDEX
ABOUT THIS GUIDE
The QRadar Administration Guide provides you with information for managing
QRadar functionality requiring administrative access.
Audience This guide is intended for the system administrator responsible for setting up
QRadar in your network. This guide assumes that you have QRadar administrative
access and a knowledge of your corporate network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description

Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of

data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical You can access technical documentation, technical notes, and release notes
Documentation directly from the Qmmunity web site at https://qmmunity.q1labs.com/. Once you
access the Qmmunity web site, locate the product and software release for which
you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Q1 Labs documentation to:
documentation@q1labs.com.
Include the following information with your comments:

• Document title
• Page number

2 ABOUT THIS GUIDE
Contacting To help resolve any issues that you may encounter when installing or maintaining
Customer Support QRadar, you can contact Customer Support as follows:
• Log a support request 24/7: https://qmmunity.q1labs.com/support/
To request a new Qmmunity and Self-Service support account, send your
request to welcomecenter@q1labs.com. You must provide your invoice number
to process your account.
• Telephone assistance: 1.866.377.7000.
• Forums: Access our Qmmunity Forums to benefit from our customer
experiences.

1 OVERVIEW
This chapter provides an overview of QRadar administrative functionality including:

• About the Interface
• Using the Interface
• Deploying Changes
• Resetting SIM
• Updating User Details
• About High Availability
• Monitoring QRadar Systems with SNMP
About the Interface You must have administrative privileges to access administrative functions. To
access administrative functions, click the Admin tab in the QRadar interface. The
Admin tab provides access to the following functions:
• Manage users. See Chapter 2 Managing Users.
• Manage your network settings. See Chapter 3 Managing the System.
• Manage high availability. See Chapter 4 Managing High Availability.
• Manage QRadar settings. See Chapter 5 Setting Up QRadar.
• Manage authorized services. See Chapter 6 Managing Authorized Services
• Backup and recover your data. See Chapter 7 Managing Backup and
Recovery.
• Manage your deployment views. See Chapter 8 Using the Deployment
Editor.
• Manage flow sources. See Chapter 9 Managing Flow Sources.
• Configure remote networks and remote services. See Chapter 10 Configuring
Remote Networks and Services.
• Configure rules. See Chapter 11 Configuring Rules.
• Discover servers. See Chapter 12 Discovering Servers.
• Configure syslog forwarding. See Chapter 13 Forwarding Syslog Data.

4 OVERVIEW
• Managing vulnerability scanners. For more information, see the Managing

Vulnerability Assessment Guide.
• Configure plug-ins. For more information, see the associated documentation.
• Configure the QRadar Risk Manager. For more information, see the QRadar
Risk Manager Users Guide.
• Manage log sources. For more information, see the Log Sources Users Guide.
All configuration updates using the Admin tab are saved to a staging area. Once all
changes are complete, you can deploy the configuration changes or all
configuration settings to the remainder of your deployment.
Using the Interface The Admin tab provides several tab and menu options that allow you to configure
QRadar including:
• System Configuration - Provides access to administrative functionality, such
as user management, automatic updates, license key, network hierarchy,
system notifications, authorized services, backup and recovery, and Console
configuration.
• Data Sources - Provides access to vulnerability scanners, log source
management, custom event and flow properties, and flow sources.
• Remote Networks and Services Configuration - Provides access to QRadar
remote networks and services.
• Plugins - Provides access to plug-in components, such as the plug-in for the
QRadar Risk Manager. This option only appears if there are plug-ins installed
on your Console.
The Admin tab also includes several menu options including:

Table 2-1 Admin Tab Menu Options
Menu Option Sub-Menu Description

Deployment Editor Opens the deployment editor
interface. For more information, see
Chapter 8 Using the Deployment
Editor.
Deploy Changes Deploys any configuration changes
from the current session to your
deployment.
Advanced Clean SIM Model Resets the SIM module. See
Resetting SIM.
Deploy Full Deploys all changes.
Configuration

Deploying Changes 5
Deploying Changes Once you update your configuration settings using the Admin tab, you must save
those changes to the staging area. You must either manually deploy all changes
using the Deploy Changes button or, upon exit, a window appears prompting you
to deploy changes before you exit. All deployed changes are then applied
throughout your deployment.
Using the Admin tab menu, you can deploy changes as follows:
• Advanced > Deploy Full Configuration - Deploys all configuration settings to
your deployment.
• Deploy Changes - Deploys any configuration changes from the current
session to your deployment.
Updating User You can access your administrative user details through the main QRadar
Details interface. To access your user information, click Preferences. The User Details
window appears. You can update your administrative user details, if required.
Note: For information about the pop-up notifications, see the QRadar Users
Guide.
Resetting SIM Using the Admin tab, you can reset the SIM module, which allows you to remove
all offenses, source IP address, and destination IP address information from the
database and the disk. This option is useful after tuning your deployment to avoid
receiving any additional false positive information.
To reset the SIM module:

Step 1 Click the Admin tab.
Step 2 From the Advanced menu, select Clean SIM Model.
The Reset SIM Data Module window appears.

6 OVERVIEW
Step 3 Read the information in the window.

Step 4 Select one of the following options:
• Soft Clean - Closes all offenses in the database. If you select the Soft Clean
option, you can also select the Deactivate all offenses check box.
• Hard Clean - Purges all current and historical SIM data including offenses,
source IP addresses, and destination IP addresses.
Step 5 If you want to continue, select the Are you sure you want to reset the data
model? check box.
Step 6 Click Proceed.
A message appears indicating that the SIM reset process has started. This
process may take several minutes, depending on the amount of data in your
system.
Step 7 Click Close.
Step 8 Once the SIM reset process is complete, reset your browser.
Note: If you attempt to navigate to other areas of the user interface during the SIM
reset process, an error message appears.
About High The High Availability (HA) feature ensures availability of QRadar data in the event
Availability of a hardware or network failure. Each HA cluster consists of a primary host and a
standby secondary host. The secondary host maintains the same data as the
primary host by either replicating the data on the primary host or accessing a
shared external storage. At regular intervals, every 10 seconds by default, the
secondary host sends a heartbeat ping to the primary host to detect hardware or
network failure. If the secondary host detects a failure, the secondary host
automatically assumes all responsibilities of the primary host.

Monitoring QRadar Systems with SNMP 7
Note: HA is not supported in an IPv6 environment.
For more information about managing HA clusters, see Chapter 4 Managing High
Availability.
Monitoring QRadar QRadar supports the monitoring of our appliances through SNMP polling. QRadar
Systems with uses the Net-SNMP agent, which supports a variety of system resource monitoring
SNMP MIBs that can be polled by Network Management solutions for the monitoring and
alerting of system resources. For more information on Net-SNMP, refer to
Net-SNMP documentation.

2 MANAGING USERS
You can add or remove user accounts for all users that you want to access
QRadar. Each user is associated with a role, which determines the privileges the
user has to functionality and information within QRadar. You can also restrict or
allow access to areas of the network.
This chapter provides information on managing QRadar users including:

• Managing Roles
• Managing User Accounts
• Authenticating Users
Managing Roles You must create a role before you can create user accounts. By default, QRadar
provides a default administrative role, which provides access to all areas of
QRadar. A user that is assigned administrative privileges (including the default
administrative role) cannot edit their own account. Another administrative user
must make any desired changes.
Using the Admin tab, you can:

• View existing user roles. See Viewing Roles.
• Create a role. See Creating a Role.
• Edit a role. See Editing a Role.
• Delete a role. See Deleting a Role.
Viewing Roles To view roles:

Step 2 In the navigation menu, click System Configuration.
The System Configuration panel appears.
Step 3 In the User Management section, click the User Roles icon.
The Manage Roles window appears.

10MANAGING USERS
The Manage Roles window provides the following information:

Table 3-1 Manage Roles Parameters
Parameter Description
Role Specifies the defined user role.
Log Sources Specifies the log sources you want this role to access. This
allows you to restrict or grant access for users assigned to
the role to view logs, events, and offense data received from
assigned security and network log sources or log source
groups.
For non-administrative users, this column indicates a link
that allows an administrative user to edit the permissions for
the role. For more information on editing a user role, see
Editing a Role.
To view the list of log sources that have been assigned to
this role, move your mouse over the text in the Log Sources
column.
Associated Users Specifies the users associated with this role.
Action Allows you to edit or delete the user role.
Creating a Role To create a role:

Step 3 Click the User Roles icon.
The Manage User Roles window appears.
Step 4 Click Create Role.
The Manage Role Permissions window appears.

Managing Roles 11
Step 5 Enter values for the parameters. You must select at least one permission to
proceed.
Table 3-2 Create Roles Parameters
Role Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and
letters.

12MANAGING USERS
Table 3-2 Create Roles Parameters (continued)
Admin Select the check box if you want to grant this user
administrative access to the QRadar interface. Within the
administrator role, you can grant additional access to the
following:
• Administrator Manager - Select this check box if you
want to allow users the ability to create and edit other
administrative user accounts. If you select this check box,
the System Administrator check box is automatically
selected.
• System Administrator - Select this check box if you want
to allow users access to all areas of QRadar. Users with
this access are not able to edit other administrator
accounts.
• Remote Networks and Services Configuration- Select
this check box if you want to allow users the ability to
configure remote networks and services in the Admin
interface.
Offenses Select the check box if you want to grant this user access to
Offenses interface. Within the Offenses interface
functionality, you can grant additional access to the following:
• Customized Rule Creation - Select the check box if you
want to allow users to create custom rules.
• Assign Offenses to Users - Select the check box if you
want to allow users to assign offenses to other users.
For more information on the Offenses interface, see the
QRadar Users Guide.
Log Activity Select the check box if you want this user to have access to
the Log Activity interface. Within the Log Activity role, you can
also grant users additional access to the following:
• Event Search Restrictions Override - Select the check
box if you want to allow users the ability to override event
search restrictions.
• Manage Time Series - Select the check box if you want to
allows users the ability to configure and view time series
data charts.
want to allow users to create rules using the Log Activity
interface.
• User Defined Event Properties - Select the check box if
you want to allow users the ability to create user-defined
event properties.
For more information on the Log Activity interface, see the
QRadar Users Guide.

Managing Roles 13
Table 3-2 Create Roles Parameters (continued)
Assets Select the check box if you want to grant this user access to
Asset Management functionality. Within the Asset
Management functionality, you can grant additional access to
the following:
• Remove Vulnerabilities - Select the check box if you
want to allows user to remove vulnerabilities from assets.
• Server Discovery - Select the check box if you want to
allow users the ability to discover servers.
• View VA Data - Select the check box if you want to allow
users access to vulnerability assessment data.
• Perform VA Scans - Select the check box if you want to
allows users to perform vulnerability assessment scans.
Network Activity Select the check box if you want to grant this user access to
Network Activity functionality. Within the Network Activity
functionality, you can grant additional access to the following:
• View Flow Content - Select the check box if you want to
allow users access to data accessed through the View
Flow function.
• Manage Time Series - Select the check box if you want to
allows users the ability to configure and view time series
data charts.
want to allow users to create rules using the Log Activity
interface.
• User Defined Flow Properties - Select the check box if
you want to allow users the ability to create user-defined
flow properties.
For more information, see the QRadar Users Guide.
Reports Select the check box if you want to grant this user access to
Reporting functionality. Within the Reporting functionality,
you can grant users additional access to the following:
• Maintain Templates - Select the check box if you want to
allow users to maintain reporting templates.
• Distribute Reports via Email - Select the check box if
you want to allow users to distribute reports through
e-mail.
For more information, see the QRadar Users Guide.
IP Right Click Menu Select the check box if you want to grant this user access to
Extensions options added to the right mouse button (right-click) menu.
Risks This option is only available if the QRadar Risk Manager is
activated. Select the check box if you want to grant users
access to QRadar Risk Manager functionality.
For more information, see the QRadar Risk Manager Users
Guide.

14MANAGING USERS
Step 6 Click Next.

Step 7 Choose one of the following options:
a If you selected a role that includes Log Activity permissions, go to Step 8.
b If you selected a role that does not include Log Activity permissions, go to Step
10.
The Add Log Sources to User Role window appears.
Step 8 Select log sources you want to add to the user role:
a Using the Log Source Group drop-down list box, select a log source group.
b From the Log Source list, locate and select the log source(s) you want user
assigned to this role to have access.
Hint: You can add an entire log source group by clicking the icon in the Log
Source Group section. You can also select multiple log sources by holding the
CTRL key while you select each log source you want to add.
c Click the icon.
The selected log source(s) moves to the Selected Log Source Objects field.
Step 9 Click Next.
A confirmation message appears.
Step 10 Click Return.
Step 11 Close the Manage Roles window.
The Admin tab appears.
Step 12 From the Admin tab menu toolbar, click Deploy Changes.

Managing Roles 15
Editing a Role To edit a role:

The Manage Role window appears.
Step 4 For the role you want to edit, click the edit icon.
The Manage Role Permissions window appears.
Step 5 Update the permissions (see Table 3-2), as necessary.
Step 6 Click Next.
a If you are editing a role that includes the Events permissions role, go to Step 8.
b If you are editing a role that does not include Events permissions, go to Step
11.
The Add Log Sources to User Role window appears.
Step 8 Update log source permissions, as desired:

a To remove a log source permission, select the log source(s) in the Selected Log
Source Objects field that you want to remove. Click Remove Selected
Devices.
b To add a log source permission, select an object you want to add from the left
panel.
Step 9 Repeat for all log sources you want to edit for this role.
Step 10 Click Next.
Step 12 Click Save.

16MANAGING USERS
Step 13 Close the Manage User Roles window.

Step 14 From the Admin tab menu, click Deploy Changes.
Deleting a Role To delete a role:

The Manage Roles window appears.
Step 4 For the role you want to delete, click the delete icon.
A confirmation window appears.
Step 5 Click Ok.
Managing User You can create a QRadar user account, which allows a user to access selected
Accounts network components using the QRadar interface. You can also create multiple
accounts for your system that include administrative privileges. Only the main
administrative account can create accounts that have administrative privileges.
You can create and edit user accounts to access QRadar including:
• Creating a User Account
• Editing a User Account
• Disabling a User Account
Creating a User To create an account for a QRadar user:

Account
Step 3 Click the Users icon.
The Manage Users window appears.
Step 4 In the Manage Users area, click Add.
The User Details window appears.

Managing User Accounts 17
Step 5 Enter values for the following parameters:
Table 3-3 User Details Parameters
Username Specify a username for the new user. The username must not
include spaces or special characters.
Password Specify a password for the user to gain access. The password
must be at least five characters in length.
Confirm Password Re-enter the password for confirmation.
Email Address Specify the user’s e-mail address.
Role Using the drop-down list box, select the role you want this user to
assume. For information on roles, see Managing Roles. If you
select Admin, this process is complete.
Step 6 Click Next.

a If you select Admin as the user role, go to Step 10.
b If you select a non-administrative user role, go to Step 8.
The Selected Network Objects window appears.

18MANAGING USERS
Step 8 From the menu tree, select the network objects you want this user to be able to
monitor.
The selected network objects appear in the Selected Network Object panel.
Step 9 Click Finish.
Step 10 Close the Manage Users window.
The Admin interface appears.
Editing a User To edit a user account:

Account
Step 4 In the Manage Users area, click the user account you want to edit.
Step 5 Update values (see Table 3-3), as necessary.
Step 6 Click Next.
If you are editing a non-administrative user account, the Selected Network Objects
window appears. If you are editing an administrative user account, go to Step 10.
Step 7 From the menu tree, select the network objects you want this user to access.
The selected network objects appear in the Selected Network Object panel.

Step 8 For all network objects you want to remove access, select the object from the
Selected Network Objects panel. Click Remove.
Disabling a User To disable a user account:

Account
Step 4 In the Manage Users area, click the user account you want to disable.
Step 5 In the Role drop-down list box, select Disabled.
Step 6 Click Next.
The Admin tab appears. This user no longer has access to the QRadar interface. If
this user attempts to log in to QRadar, the following message appears: This
account has been disabled.
After you delete a user, items such as saved searches, reports, and assigned
offenses, will remain associated with the deleted user.
Authenticating You can configure authentication to validate QRadar users and passwords.
Users QRadar supports the following user authentication types:
• System Authentication - Users are authenticated locally by QRadar. This is
the default authentication type.
• RADIUS Authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to log in, QRadar
encrypts the password only, and forwards the username and password to the
RADIUS server for authentication.
• TACACS Authentication - Users are authenticated by a Terminal Access
Controller Access Control System (TACACS) server. When a user attempts to
log in, QRadar encrypts the username and password, and forwards this
information to the TACACS server for authentication.
• LDAP/ Active Directory - Users are authenticated by a Lightweight Directory
Access Protocol (LDAP) server using Kerberos.

20MANAGING USERS
If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the

authentication type, you must:
• Configure the authentication server before you configure authentication in
QRadar.
• Make sure the server has the appropriate user accounts and privilege levels to
communicate with QRadar. See your server documentation for more
information.
• Make sure the time of the authentication server is synchronized with the time of
the QRadar server. For more information on setting QRadar time, see
Chapter 5 Setting Up QRadar.
• Make sure all users have appropriate user accounts and roles in QRadar to
allow authentication with the third-party servers.
Once authentication is configured and a user enters an invalid username and

password combination, a message appears indicating the login was invalid. If the
user attempts to access the system multiple times using invalid information, the
user must wait the configured amount of time before attempting to access the
system again. For more information on configuring Console settings for
authentication, see Chapter 5 Setting Up QRadar - Configuring the Console
Settings.
An administrative user can access QRadar through a third-party authentication

module or by using the local QRadar Admin password. The QRadar Admin
password still functions if you have setup and activated a third-party authentication
module, however, you can not change the QRadar Admin password while the
authentication module is active. If you want to change the QRadar admin
password, you need to temporarily disable the third-party authentication module,
reset the password, and then reconfigure the third-party authentication module.
To configure authentication:
Step 3 Click the Authentication icon.
The Authentication window appears.
Step 4 From the Authentication Module drop-down list box, select the authentication type
you want to configure.
Step 5 Configure the selected authentication type:

a If you selected System Authentication, go to Step 6.

b If you selected RADIUS Authentication, enter values for the following
parameters:
Table 3-4 RADIUS Parameters
RADIUS Server Specify the hostname or IP address of the RADIUS server.
RADIUS Port Specify the port of the RADIUS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection
between the user and the server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• ARAP (Apple Remote Access Protocol) - Establishes
authentication for AppleTalk network traffic.
• PAP (Password Authentication Protocol) - Sends clear text
Shared Secret Specify the shared secret that QRadar uses to encrypt RADIUS
passwords for transmission to the RADIUS server.
c If you selected TACACS Authentication, enter values for the following

parameters:
Table 3-5 TACACS Parameters
TACACS Server Specify the hostname or IP address of the TACACS server.
TACACS Port Specify the port of the TACACS server.
Authentication Specify the type of authentication you want to perform. The
Type options are:
• ASCII
• PAP (Password Authentication Protocol) - Sends clear text
• CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the
server.
• MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
• MSCHAP2 - (Microsoft Challenge Handshake Authentication
Protocol version 2)- Authenticates remote Windows
workstations using mutual authentication.
• EAPMD5 (Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.

22MANAGING USERS
Table 3-5 TACACS Parameters (continued)
Shared Secret Specify the shared secret that QRadar uses to encrypt TACACS
passwords for transmission to the TACACS server.
d If you selected LDAP/ Active Directory, enter values for the following
parameters:
Table 3-6 LDAP/ Active Directory Parameters
Server URL Specify the URL used to connect to the LDAP server. For
example, ldap://<host>:<port>
LDAP Context Specify the LDAP context you want to use, for example,
DC=Q1LABS,DC=INC.
LDAP Domain Specify the domain you want to use, for example q1labs.inc.
Step 6 Click Save.

This chapter provides information for managing your system including:

• Managing Your License Keys
• Restarting a System
• Shutting Down a System
• Configuring Access Settings
Managing Your For your QRadar Console, a default license key provides you access to the
License Keys interface for 5 weeks. You must manage your license key using the System and
License Management window, which you can access using the Admin tab. This
window provides the status of the license key for each system (host) in your
deployment including:
• Valid - The license key is valid.
• Expired - The license key has expired. To update your license key, see
Updating your License Key.
• Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you want to
use the Console license for any system in your deployment, click Revert to
Console in the Manage License window. The license for that system will default
to the Console license key.
A license key allows a certain number of log sources to be configured in your

system. If you exceed the limit of configured logs sources, as established by the
license key, an error message appears in the interface. To extend the number of
log sources allowed, contact your sales representative.
This section provides information on managing your license keys including:

• Updating your License Key
• Exporting Your License Key Information

Updating your For your QRadar Console, a default license key provides you with access to the
License Key interface for 5 weeks. Choose one of the following options for assistance with your
license key:
• For a new or updated license key, contact your local sales representative.
• For all other technical issues, contact Q1 Labs Customer Support.
If you log in to QRadar and your Console license key has expired, you are
automatically directed to the System and License Management window. You must
update the license key before you can continue. However, if one of your
non-Console systems includes an expired license key, a message appears when
you log in indicating a system requires a new license key. You must navigate to the
System and License Management window to update that license key.
To update your license key:

Step 3 Click the System and License Management icon.
The System and License Management window appears providing a list of all hosts
in your deployment.
Step 4 Select the host for which you want to view the license key.
Step 5 From the Actions menu, select Manage License.
The Current License Details window appears providing the current license key
limits. If you want to obtain additional licensing capabilities, please contact your
sales representative.

Managing Your License Keys 25
Step 6 Click Browse beside the New License Key File field and locate the license key.
Step 7 Once you locate and select the license key, click Open.
The Current License Details window appears.
Step 8 Click Save.
Step 9 In the System and License Management window, click Deploy License Key.
Note: If you want to revert back to the previous license key, click Revert to
Deployed. If you revert to the license key used by the QRadar Console system,
click Revert to Console.
The license key information is updated in your deployment.
Exporting Your To export your license key information for all systems in your deployment:
License Key
Information


The System and License Management window appears providing a list of all hosts
in your deployment.
Step 4 Select the system that includes the license you want to export.
Step 5 From the Actions menu, select Export Licenses.
The export window appears.
Step 6 Select one of the following options:
• Open with - Opens the license key data with the selected application.
• Save File - Allows you to save the file to your desktop.
Step 7 Click OK.
Restarting a To restart a QRadar system:

System
The System and License Management window appears.
Step 4 Select the system you want to restart.
Step 5 From the Actions menu, select Restart System.
Note: Data collection stops while the system is shutting down and restarting.
Shutting Down a To shutdown a QRadar system:

System

Step 4 Select the system you want to shut down.

Step 5 From the Actions menu, select Shutdown.
Note: Data collection stops while the system is shutting down.
Configuring The System and License Management window provides access to the web-based
Access Settings system administration interface, which allows you to configure firewall rules,
interface roles, passwords, and system time. This section includes:
• Firewall access. See Configuring Firewall Access.
• Update your host set-up. See Updating Your Host Set-up.
• Configure the interface roles for a host. See Configuring Interface Roles.
• Change password to a host. See Changing Passwords.
• Update the system time. See Updating System Time.
Configuring Firewall You can configure local firewall access to enable communications between
Access devices and QRadar. Also, you can define access to the web-based system
administration interface.
To enable QRadar managed hosts to access specific devices or interfaces:

Step 4 Select the host for which you want to configure firewall access settings.
Step 5 From the Actions menu, select Manage System.
Step 6 Log in to the System Administration interface. The default is:
Username: root
Password: <your root password>
Note: The username and password are case sensitive.
Step 7 From the menu, select Managed Host Config > Local Firewall.

The Local Firewall window appears.
Step 8 In the Device Access box, you must include any QRadar systems you want to have
access to this managed host. Only managed hosts listed will have access. For
example, if you only enter one IP address, only that one IP address will be granted
access to the managed host. All other managed hosts are blocked.
To configure access:
a In the IP Address field, enter the IP address of the managed host you want to
have access.
b From the Protocol list box, select the protocol you want to enable access for the
specified IP address and port:
- UDP - Allows UDP traffic.
- TCP - Allows TCP traffic.
- Any - Allows any traffic.
c In the Port field, enter the port on which you want to enable communications.
Note: If you change your External Flow Source Monitoring Port parameter in the
QFlow Configuration, you must also update your firewall access configuration.
d Click Allow.
Step 9 In the System Administration Web Control box, enter the IP address(es) of
managed host(s) that you want to allow access to the web-based system

administration interface in the IP Address field. Only IP addresses listed will have
access to the interface. If you leave the field blank, all IP addresses will have
access. Click Allow.
Note: Make sure you include the IP address of your client desktop you want to use
to access the interface. Failing to do so may affect connectivity.
Step 10 Click Apply Access Controls.
Step 11 Wait for the interface to refresh before continuing.
Updating Your Host You can use the web-based system administration interface to configure the mail
Set-up server you want QRadar to use and the global password for QRadar configuration:
To configure your host set-up:

Step 4 Select the host for which you want to update your host setup settings.
Username: root
Step 7 From the menu, select Managed Host Config > QRadar Setup.
The QRadar Setup window appears.
Step 8 In the Mail Server field, specify the address for the mail server you want QRadar
to use. QRadar uses this mail server to distribute alerts and event messages. To
use the mail server provided with QRadar, enter localhost.

Step 9 In the Enter the global configuration password, enter the password you want to
use to access the host. Confirm the entered password.
Note: The global configuration password does not accept special characters. The
global configuration password must be the same throughout your deployment. If
you edit this password, you must also edit the global configuration password on all
systems in your deployment.
Step 10 Click Apply Configuration.
Configuring Interface You can assign specific roles to the network interfaces on each managed host.
Roles
To assign roles:
Step 4 Select the host for which you want to configure interface role settings.
Username: root
Step 7 From the menu, select Managed Host Config > Network Interfaces.
The Network Interfaces window appears with a list of each interface on your
managed host.
Note: For assistance with determining the appropriate role for each interface,
contact Q1 Labs Customer Support.

Step 8 For each interface listed, select the role you want to assign to the interface using
the Role list box.
Step 9 Click Save Configuration.
Step 10 Wait for the interface to refresh before continuing.
Changing Passwords To change the passwords:

Step 4 Select the host for which you want to configure interface role settings.
Username: root
Step 7 From the menu, select Managed Host Config > Root Password.
The Root Passwords window appears.

Step 8 Update the passwords:
Note: Make sure you record the entered values. The root password does not
accept the following special characters: apostrophe (‘), dollar sign ($), exclamation
mark (!).
• New Root Password - Specify the root password necessary to access the
web-based system administration interface.
• Confirm New Root Password - Re-enter the password for confirmation.
Step 9 Click Update Password.
Updating System You are able to change the time for the following options:
Time • System time
• Hardware time
• Time Zone
• Time Server
Note: All system time changes must be made within the System Time window. You
must change the system time information on the host operating the Console only.
The change is then distributed to all managed hosts in your deployment.
You can configure time for your system using one of the following methods:
• Configuring Your Time Server Using RDATE
• Manually Configuring Time Settings For Your System
Configuring Your Time Server Using RDATE

To update the time settings using RDATE:
Step 4 Select the host for which you want to configure system time settings.


Username: root
Step 7 From the menu, select Managed Host Config > System Time.
The System Time window appears.
Step 8 Configure the time zone:
a Click Change time zone.
The Time Zone window appears.
b Using the Change timezone to drop-down list box, select the time zone in which
this managed host is located.
c Click Save.
Step 9 Configure the time server:
a Click Time server sync.
The Time Server window appears.

b Configure the following parameters:

Table 4-1 Time Server Parameters
Timeserver hostnames or Specify the time server hostname or IP address.
addresses
Set hardware time too Select the check box if you want to set the
hardware time as well.
Synchronize on schedule? Specify one of the following options:
• No - Select the option if you do not want to
synchronize the time. Go to c.
• Yes - Select the option if you want to synchronize
the time.
Simple Schedule Specify if you want the time update to occur at a
specific time. If not, select the Run at times
selected below option.
Times and dates are selected Specify the time you want the time update to
below occur.
c Click Sync and Apply.

Manually Configuring Time Settings For Your System

To update the time settings for your system:
Step 4 Select the host for which you want to configure system time settings.
Username: root
Step 7 From the menu, select Managed Host Config > System Time.
The System Time window appears.
Caution: The time settings window is divided into two sections. You must save
each setting before continuing. For example, when you configure System Time,
you must click Apply within the System Time section before continuing.
Step 8 Click Set time.
Step 9 Set the system time:
a Choose one of the following options:

- In the System Time box, specify the current date and time you want to
assign to the managed host.
- Click Set system time to hardware time.
b Click Apply.
The Hardware Time window appears.

Step 10 Set the hardware time:

a Choose one of the following options:
- In the Hardware Time box, specify the current date and time you want to
assign to the managed host.
- Click Set hardware time to system time.
b Click Save.
Step 11 Configure the time zone:
a Click Change time zone.
The Time Zone window appears.
b Using the Change Timezone To drop-down list box, select the time zone in
which this managed host is located.
c Click Save.

The High Availability (HA) feature ensures QRadar data remains available in the
event of a hardware or network failure. To achieve HA, QRadar pairs a primary
appliance with a secondary HA appliance to create an HA cluster. The HA cluster
uses several monitoring functions, such as a heartbeat ping between the primary
and secondary appliances, and network connectivity monitoring to other
appliances in the QRadar deployment. The secondary host maintains the same
data as the primary host by one of two methods: data synchronization between the
primary and secondary appliances or shared external storage. If the secondary
host detects a failure, the secondary host automatically assumes all
responsibilities of the primary host.
Scenarios that cause failover include:
• Network failure, as detected by network connectivity testing
• Management interface failure on the primary host
• Complete Redundant Array of Independent Disks (RAID) failure on the primary
host
• Power supply failure
• Operating system malfunction that delays or stops the heartbeat ping
Note: Heartbeat messages do not monitor specific QRadar processes.
Note: You can manually force a failover from a primary host to a secondary host.
This is useful for planned maintenance on the primary host. For more information
about manually forcing a failover, see Setting an HA Host Offline.
This chapter provides information for configuring and managing HA, including:
• Before You Begin
• HA Deployment Overview
• Adding an HA Cluster
• Editing an HA Cluster
• Setting an HA Host Offline
• Setting an HA Host Online
• Restoring a Failed Host

Before You Begin Before adding an HA cluster, confirm the following:
Note: For more information about HA concepts, such as HA clustering and data
storage strategies, see HA Deployment Overview.
• If you plan to enable disk replication (see Disk Synchronization), we require
that the connection between the primary host and secondary host have a
minimum bandwidth of 1 gigabits per second (Gbps).
• Virtual LAN (VLAN) routing, which divides a physical network into multiple
subnets, is not recommended.
• The secondary host is located on the same subnet as the primary host.
• The new primary host IP address is set up on the same subnet.
• The management interface only supports one Cluster Virtual IP address.
Multihoming is not supported.
• The secondary host you want to add must have a valid HA activation key.
• The secondary host must use the same management interface specified as the
primary host. For example, if the primary host uses ETH0 as the management
interface, the secondary host must also use ETH0.
• The secondary host you want to add must not already be a component in
another HA cluster.
• The primary and secondary host must have the same QRadar software version
and patch level installed.
• If you plan to share storage (see Shared Storage), the secondary host must be
configured with the same external iSCSI devices (if any) as the primary host.
For more information about configuring iSCSI, see the Configuring iSCSI
technical note.
• If you are configuring HA on your own hardware installed with QRadar software,
the /store partition on the secondary host must be equal to or larger than the
/store partition on the primary host. For example, do not pair an primary host
with a 3 TB disk with a secondary host with a 2 TB disk. The appliances must
be the same model and type, and have the same disk configuration.
• We recommend that you backup your configuration information and data on all
hosts you intend to configure for HA. For more information about backing up
your configuration information and data, see Chapter 7 Managing Backup
and Recovery.
Note: Disk replication is not enabled by default on QFlow Collectors and is not
required for successful failover.

HA Deployment This overview includes information on the key HA deployment concepts, including:
Overview • HA Clustering
• Data Storage Strategies
• Failovers
HA Clustering An HA cluster consists of the following:

• Primary host - The primary host is the host for which you want to configure HA.
You can configure HA for any system (Console or non-Console) in your
deployment. When you configure HA, the IP address of the primary host
automatically becomes the Cluster Virtual IP address; therefore, you must
configure a new IP address for the primary host.
• Secondary host - The secondary host is the standby for the primary host. If the
primary host fails, the secondary host automatically assumes all responsibilities
of the primary host.
• Cluster Virtual IP address - When you configure HA, the current IP address of
the primary host automatically becomes the Cluster Virtual IP address and you
must assign a new IP address to the primary host. In the event that the primary
host fails, the Cluster Virtual IP address is assumed by the secondary host.
QRadar uses the primary host’s IP address as the Cluster Virtual IP address to
allow other hosts in your deployment to continue communicating with the HA
cluster without requiring you to reconfigure the hosts to send data to a new IP
address.
In the following figure, for example, the current IP address of the primary host is
10.100.1.1 and the IP address of the secondary host is 10.100.1.2.
When configured as an HA cluster, the current primary host IP address

(10.100.1.1) automatically becomes the Cluster Virtual IP address. A new IP
address must be assigned to the primary host. In this example, the assigned IP
address for the primary host is 10.100.1.3.

Note: You can view the IP addresses for the HA cluster by pointing your mouse
over the Host Name field in the System and License Management window.
Data Storage QRadar provides the following data storage strategies in an HA deployment:
Strategies • Disk Synchronization
• Shared Storage
Disk Synchronization
The hosts in an HA cluster must have access to the same data on the /store
partition. When you install your secondary host and apply an HA license key, a
/store partition is automatically installed and configured on the host. Once an HA
cluster is configured with the Disable Disk Replication option cleared (default) and
the /store partition is not mounted externally, data in the active host’s /store
partition is automatically replicated to the standby host’s /store partition using a
disk synchronization system.
When you initially add an HA cluster, the first disk synchronization can take an
extended period of time to complete, depending on size of your /store partition and
your disk synchronization speed. For example, the initial disk synchronization can
take an extended period of time, up to 24 hours or more, depending on your
deployment. We require that the connection between the primary host and
secondary host have a minimum bandwidth of 1 gigabits per second (Gbps). The
secondary host only assumes the Standby status after the initial disk
synchronization is complete.
When the primary host fails over and the secondary host becomes the Active host,
the secondary host continues to read and write data on the /store partition. When
the primary host is restored, the two /store partitions are no longer synchronized.
Therefore, before the primary host can resume the Active state, disk replication
automatically occurs. When disk replication is complete, the primary host is set to

the Offline state and you must manually set the primary host to the Online state.
The period of time to perform the post-failover disk synchronization is considerably
less than the initial disk synchronization, unless the disk on the primary host disk
was replaced or reformatted when the host was manually repaired.
Shared Storage
If the primary host has the /store partition mounted on an external storage device,
the secondary host must also have the /store partition mounted on the same
external storage device.
Caution: You must configure the external storage on the secondary host before
configuring the HA cluster. For more information on configuring external storage,
see the Configuring iSCSI technical note.
If the primary and secondary host access the shared storage at the same time,
data corruption can occur. Before a failover occurs, the secondary host determines
if the primary host is still accessing the shared storage. If the secondary host
detects the primary host is still reading and writing to the shared storage, failover
cannot occur. The secondary host is automatically set to the Offline state.
Caution: If your primary host and secondary hosts are geographically isolated,
failover may still occur while the primary host is reading or writing to the shared
storage.
Failovers When the primary host fails over, the secondary host performs the following
actions in sequence:
• Mounts any external shared storage devices, if required.
• Creates a network alias for the management interface. For example, the
network alias for eth0 is eth0:0.
• Assigns the Cluster Virtual IP address to the network alias.
• Starts all QRadar services.
• Connects to the Console and downloads configuration files.
This section includes information on general failover scenarios, including:
• Primary Network Failure
• Primary Disk Failure
• Secondary Network or Disk Failure
Primary Network Failure

The primary host automatically pings all other managed hosts to test it’s network
connection. If the primary host loses network connectivity to a managed host and
the connection to the secondary host is still intact, the primary host requests the
secondary host to verify that it has full connectivity to other managed hosts in the
deployment. The secondary host performs a network connectivity test, testing all
hosts specified in the Advanced Settings of the HA wizard, (Table 5-2). If the test

succeeds, the primary host performs a controlled shutdown and fails over to the
secondary host. This prevents the primary host failover to a secondary host that is
also experiencing network connectivity problems.
Primary Disk Failure

An HA cluster configured with disk replication monitors disks on which the /store
partition is mounted. If RAID completely fails and all disks are unavailable, the
primary host performs shuts down and fails over to the secondary host.
Secondary Network or Disk Failure

If the primary host detects that the secondary host has failed, the primary host
generates an event to notify you that the secondary host is no longer providing HA
protection.
Adding an HA The System and License Management window allows you to manage your HA
Cluster clusters
To add an HA cluster:
Step 4 Select the host for which you want to configure HA.
Step 5 From the Actions menu, select Add HA Host.
Note: If the primary host is a Console, a warning message appears to indicate that
the user interface restarts after you add the HA host. Click OK to proceed.
The HA Wizard appears.

Note: If you do not want to view the Welcome to the High Availability window
again, select the Skip this page when running the High Availability wizard
check box.
Step 6 Read the introductory text. Click Next.
The Select the High Availability Wizard Options window appears, automatically
displaying the Cluster Virtual IP address, which is the IP address of the primary
host (Host IP).
Step 7 To configure the HA host information, configure the following parameters:

Table 5-1 HA Host Information Parameters
Primary Host IP Address Specify a new primary host IP address. The new
primary host IP address is assigned to the primary
host, replacing the previous IP address. The current
IP address of the primary host becomes the Cluster
Virtual IP address.
If the primary host fails and the secondary host
becomes active, the Cluster Virtual IP address is
assigned to the secondary host.
Note: The new primary host IP address must be on
the same subnet as the Host IP.
Secondary Host IP Address Specify the IP address of the secondary host you
want to add. The secondary host must be in the
same subnet as the primary host.
Enter the root password of the Specify the root password for the secondary host.
host The password must not include special characters.
Confirm the root password of Confirm the root password for the secondary host.
the host
Step 8 Optional. To configure advanced parameters:

a Click the arrow beside Show Advanced Options.
The advanced option parameters appear.
b Configure the following parameters:

Table 5-2 Advanced Options Parameters
Heartbeat Intervals (seconds) Specify the time, in seconds, you want to elapse
between heartbeat messages. The default is 10
seconds.
At the specified interval, the secondary host sends a
heartbeat ping to the primary host to detect
hardware and network failure.
For more information about failover scenarios, see
HA Deployment Overview.
Heartbeat Timeout (seconds) Specify the time, in seconds, you want to elapse
before the primary host is considered unavailable if
there is no heartbeat detected. The default is 30
seconds.
If the secondary host detects a failure, the
secondary host automatically assumes all
responsibilities of the primary host.
For more information about failover scenarios, see
HA Deployment Overview.
Network Connectivity Test Specify the IP address(es) of the host(s) you want
List peer IP addresses (comma the secondary host to ping, as a means to test it’s
delimited) own network connection. The default is all other
managed hosts in your deployment.
For more information on network connectivity
testing, see Primary Network Failure.
Disk Synchronization Rate Specify or select the disk synchronization rate. The
(MB/s) default is 100 MB/s.
Caution: When you initially add an HA cluster, the
first disk synchronization can take an extended
period of time to complete, depending on size of
your /store partition and your disk synchronization
speed. For example, the initial disk synchronization
can take up to 24 hours or more. The secondary
host only assumes the Standby status after the initial
disk synchronization is complete.
Note: We require that the connection between the
primary host and secondary host have a minimum
bandwidth of 1 gigabits per second (Gbps).
Disable Disk Replication Select this option if you want to disable disk
replication.
Note: This option is only visible for non-Console
hosts.
c Click Next.
The HA Wizard connects to the primary and secondary host to perform the
following validations:

• Verifies that the secondary host has a valid HA activation key.

• Verifies that the secondary host is not already added to another HA cluster.
• Verifies that the software versions on the primary and secondary hosts are the
same.
• Verifies that the primary and secondary hosts support the same Device Support
Module (DSM), scanner, and protocol RPMs.
• Verifies if the primary host has an externally mounted storage system. If it does,
the HA wizard then verifies that the secondary host also has an externally
mounted storage system.
If any of these validations fail, the HA wizard displays an error message and then
closes.
The Confirm the High Availability Wizard Options window appears.
Caution: If the primary host is configured with external storage, you must
configure the secondary host with the same external storage before continuing.
Step 9 Review the information. Click Finish.
Note: If Disk Synchronization is enabled, it can take 24 hours or more for the data
to initially synchronize.
Note: If required, click Back to return to the Confirm the High Availability Wizard
options window to edit the information.
The System and License Management window displays the HA cluster you added.
Use the Arrow icon to display or hide the secondary host.

The System and License Management window provides the status of your HA
clusters including:
Table 5-3 HA Status Descriptions
Status Description
Active Specifies that the host is acting as the active system
with all services running. Either the primary or
secondary host can display the Active status. If the
secondary host is displaying the Active status,
failover has occurred.
Standby Specifies that the host is acting as the standby
system. This status will only display for a secondary
host. The standby system has no services running. If
disk replication is enabled, the standby system is
replicating data from the primary host. If the primary
host fails, the standby system automatically
assumes the active role.
Failed Specifies that the host is in a failed state. Both the
primary or secondary host can display the Failed
status:
• If the primary host displays the Failed status, the
secondary host takes over the services and
should now display the Active status.
• If the secondary host displays the Failed status,
the primary host remains active, but is not
protected by HA.
A system in the failed state must be manually
repaired (or replaced), and then restored. See
Restoring a Failed Host.
Note: Depending on the type of failure that caused
the failover, you may not be able to access a failed
system from the Console.
Synchronizing Specifies that the host is synchronizing data on the
local disk of the host to match the currently active
system.
Note: This status only appears if disk replication is
enabled.
Online Specifies that the host is online.

Table 5-3 HA Status Descriptions (continued)
Status Description
Offline Specifies that the host is offline. All processes are
stopped and the host is not monitoring the heartbeat
from the active system. Both the primary and the
secondary can display the Offline status. While in the
Offline state, disk replication continues if it is
enabled.
Restoring Once you select High Availability > Restore
System to restore a failed host (see Restoring a
Failed Host), this status specifies that system is in
the process of restoring.
Needs License Specifies that a license key is required for the HA
cluster. See Chapter 3 Managing the System -
Updating your License Key. In the Needs License
state, no processes are running.
Setting Offline Specifies that the host is in the process of changing
state from online to offline.
Setting Online Specifies that the host is in the process of changing
state from offline to online.
Needs Upgrade Specifies that the host requires a software upgrade,
because the primary host has been upgraded to a
newer software version.
If the secondary host displays the Needs Upgrade
status, the primary host remains active, but is not
protected by HA. Heartbeat monitoring and disk
replication, if enabled, continue to function.
Note: Only a secondary host can display a Needs
Upgrade status.
Upgrading Specifies that the host is in the process of upgrading
software.
If the secondary host displays the Upgrading status,
the primary host remains active, but is not protected
by HA. Heartbeat monitoring and disk replication, if
enabled, continue to function.
Note: Only a secondary host can display an
Upgrading status.
Editing an HA Using the Edit HA Host feature, you can edit the advanced options for your HA
Cluster cluster.
To edit an HA cluster:

Editing an HA Cluster 49

Step 4 Select the row for the HA cluster you want to edit.
Step 5 From the High Availability menu, select Edit HA Host.
The HA Wizard appears, displaying the Select the High Availability Wizard Options
window.
Step 6 Edit the parameters in the advanced options section. See Table 5-2.
Step 7 Click Next.
The Confirm the High Availability Wizard Options window appears.

Step 8 Review the information. Click Finish.

The secondary host restarts and your HA cluster continues functioning.
Removing an HA You can remove an HA host from a cluster. You cannot remove a host from an HA
Host cluster when the primary HA host is in the Failed, Offline, or Synchronizing state.
To remove an HA host:
Step 4 Select the HA host you want to set to remove.
Step 5 From the High Availability menu, select Remove HA Host.
A confirmation message appears, indicating that removing an HA host will reboot
the user interface.
Step 6 Click OK.
Once you remove an HA host, the host restarts and becomes available to be
added to another cluster.

Setting an HA Host Offline 51
Setting an HA Host You can set either the primary or secondary host to Offline from the Active or
Offline Standby state. If you set the active system to offline, the standby system becomes
the active system, thereby forcing a failover. If you set the standby system to
offline, the standby system no longer monitors the heartbeat of the active system,
however, continues to synchronize data from the active system.To set an HA host
offline:
Step 4 Select the HA host you want to set to offline.
Step 5 From the High Availability menu, select Set System Offline.
The status for the host changes to Offline.
Setting an HA Host When you set the secondary host to online, the secondary host becomes the
Online standby system. If you set the primary host to online while the secondary system is
currently the active system, the primary host becomes the active system and the
secondary host automatically becomes the standby system.
To set an HA host online:

Step 4 Select the offline HA host you want to set to online.
Step 5 From the High Availability menu, select Set System Online.
The status for the host changes to Online.
Restoring a Failed If a host displays a status of Failed, a hardware or network failure occurred for that
Host host. Before you can restore the host using the user interface, you must manually
repair the host. For more information, see your network administrator.
To restore a failed system:

Step 1 Recover the failed host.

Note: Recovering a failed host involves re-installing QRadar. For more information
about recovering a failed host, see the QRadar Installation Guide. If you are
recovering a primary host and your HA cluster uses shared storage, you must
manually configure iSCSI. For more information about configuring iSCSI, see the
Configuring iSCSI technical note.
Step 5 Select the failed HA host you want to restore.
Step 6 From the High Availability menu, select Restore System.
The system restores the HA configuration on the failed host. The status of the host
changes through the following sequence:
a Restoring
b Synchronizing (if disk synchronization is enabled)
c Standby (secondary host) or Offline (primary host)
If the restored host is the primary system, you must manually set the primary
system to the Online state. See Setting an HA Host Online.

5 SETTING UP QRADAR
This chapter provides information on setting up QRadar including:

• Creating Your Network Hierarchy
• Scheduling Automatic Updates
• Configuring System Settings
• Configuring System Notifications
• Configuring the Console Settings
Creating Your QRadar uses the network hierarchy to understand your network traffic and provide
Network Hierarchy you with the ability to view network activity for your entire deployment.
When you develop your network hierarchy, you should consider the most effective
method for viewing network activity. Note that the network you configure in QRadar
does not have to resemble the physical deployment of your network. QRadar
supports any network hierarchy that can be defined by a range of IP addresses.
You can create your network based on many different variables, including
geographical or business units.
Considerations Consider the following when defining your network hierarchy:

• Group together systems and user groups that have similar behavior. This
provides you with a clear view of your network.
• Create multiple top-level groups if your deployment is processing more than
600,000 flows.
• Organize your systems/networks by role or similar traffic patterns. For example,
mail servers, departmental users, labs, or development groups. This allows you
to differentiate network behavior and enforce network management security
policies.
• Do not group together servers that have unique behavior with other servers on
your network. For example, placing a unique server alone provides the server
greater visibility in QRadar allowing you to enact specific policies.
• Within a group, place servers with high volumes of traffic, such as mail servers,
at the top of the group. This provides you a clear visual representation when a
discrepancy occurs. We recommend that you extend this practice to all groups.

54 SETTING UP QRADAR
• Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a

single network/group to conserve disk space. For example:
Group Description IP Address

1 Marketing 10.10.5.0/24
2 Sales 10.10.8.0/21
3 Database Cluster 10.10.1.3/32
10.10.1.4/32
10.10.1.5/32
Note: We recommend that you do not configure a network group with more than 15
objects. This may cause you difficulty in viewing detailed information for each
group.
You may also want to define an all-encompassing group so when you define new
networks, the appropriate policies and behavioral monitors are applied. For
example:
Group Subgroup IP Address

Cleveland Cleveland misc 10.10.0.0/16
Cleveland Cleveland Sales 10.10.8.0/21
Cleveland Cleveland Marketing 10.10.1.0/24
If you add a new network to the above example, such as 10.10.50.0/24, which is
an HR department, the traffic appears as Cleveland-based and any rules applied
to the Cleveland group is applied by default.
Defining Your To define your network hierarchy:

Network Hierarchy
Step 3 Click the Network Hierarchy icon.
The Network Views window appears.

Step 4 From the menu tree, select the areas of the network in which you want to add a
network component.
The Manage Group window appears for the selected network component.
Step 5 Click Add.
The Add Network Object window appears.
Step 6 Enter your network object values:
Table 6-1 Add New Object Parameters
Parameter Action
Group Specify the group for the new network object. Click Add Group
to specify the group.
Name Specify the name for the object.
Weight Specify the weight of the object. The range is 0 to 100 and
indicates the importance of the object in the system.
IP/CIDR(s) Specify the CIDR range(s) for this object. For more information
on CIDR values, see Accepted CIDR Values.

Table 6-1 Add New Object Parameters (continued)
Parameter Action
Description Specify a description for this network object.
Color Specify a color for this object.
Database Length Specify the database length.
Step 7 Click Save.

Step 8 Repeat for all network objects.
Step 9 Click Re-Order.
The Reorder Group window appears.
Step 10 Organize the network objects in the desired order.

Step 11 Click Save.
Note: We recommend adding key servers as individual objects and grouping other
major but related servers into multi-CIDR objects.
Accepted CIDR Values

The following table provides a list of the CIDR values that QRadar accepts:
Table 6-2 Accepted CIDR Values
CIDR Number of
Length Mask Networks Hosts
/1 128.0.0.0 128 A 2,147,483,392
/2 192.0.0.0 64 A 1,073,741,696
/3 224.0.0.0 32 A 536,870,848
/4 240.0.0.0 16 A 268,435,424
/5 248.0.0.0 8A 134,217,712
/6 252.0.0.0 4A 67,108,856
/7 254.0.0.0 2A 33,554,428
/8 255.0.0.0 1A 16,777,214

Table 6-2 Accepted CIDR Values (continued)
CIDR Number of
Length Mask Networks Hosts
/9 255.128.0.0 128 B 8,388,352
/10 255.192.0.0 64 B 4,194,176
/11 255.224.0.0 32 B 2,097,088
/12 255.240.0.0 16 B 1,048,544
/13 255.248.0.0 8B 524,272
/14 255.252.0.0 4B 262,136
/15 255.254.0.0 2B 131,068
/16 255.255.0.0 1B 65,534
/17 255.255.128.0 128 C 32,512
/18 255.255.192.0 64 C 16,256
/19 255.255.224.0 32 C 8,128
/20 255.255.240.0 16 C 4,064
/21 255.255.248.0 8C 2,032
/22 255.255.252.0 4C 1,016
/23 255.255.254.0 2C 508
/24 255.255.255.0 1C 254
/25 255.255.255.128 2 subnets 124
/26 255.255.255.192 4 subnets 62
/27 255.255.255.224 8 subnets 30
/28 255.255.255.240 16 subnets 14
/29 255.255.255.248 32 subnets 6
/30 255.255.255.252 64 subnets 2
/31 255.255.255.254 none none
/32 255.255.255.255 1/256 C 1
For example, a network is called a supernet when the prefix boundary contains
fewer bits than the network's natural (such as, classful) mask. A network is called a
subnet when the prefix boundary contains more bits than the network's natural
mask:
• 209.60.128.0 is a class C network address with a mask of /24.
• 209.60.128.0 /22 is a supernet that yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
• 192.0.0.0 /25

Subnet Host Range

0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
• 192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
• 192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Scheduling QRadar uses system configuration files to provide useful characterizations of

Automatic Updates network data flows. You can update your configuration files automatically or
manually to make sure your configuration files contain the latest network security
information. The updates, located on the Qmmunity web site, include threats,
vulnerabilities, and geographic information from various security-related web sites.
Note: We do not guarantee the accuracy of the third-party information contained

on the above-mentioned web sites.
Note: In an HA deployment, once you update your configuration files on the

primary host and deploy your changes, the updates are automatically performed
on the secondary host. If you do not deploy your changes, the updates are
performed on the secondary host through an automated process that runs hourly.
You can configure the automatic updates to include minor updates (such as on-line
Help or updated scripts), major updates (such as updated JAR files), or DSM
updates. You can configure the automatic updates function to download and install
minor updates. Major updates and DSM updates must be downloaded and
installed manually. The Console must be connected to the Internet to receive the
updates.

QRadar allows you to either replace your existing configuration files or integrate
the updates with your existing files to maintain the integrity of your current
configuration and information.
You can also update the configuration files for all systems in your QRadar
deployment. However, the system and event views must be currently created in
your deployment editor. For more information on using the deployment editor, see
Chapter 8 Using the Deployment Editor.
Caution: Failing to build your deployment map before you configure automatic or
manual updates results in your remote systems not being updated.
This section includes:

• Scheduling Automatic Updates
• Updating Your Files On-Demand
Scheduling To schedule automatic updates:

Automatic Updates
Step 3 Click the Auto Update icon.
The Auto Update Configuration window appears.
Step 4 Configure the update method and types of updates you want to receive using the
Choose Updates box:
Table 6-3 Choose Updates Parameters
Update Method Using the drop-down list box, select the method you want to use
for updating your system including:
• Auto Integrate - Integrates the new configuration files with
your existing files to maintain the integrity of your information.
This is the default.
• Auto Update - Replaces your existing configuration files with
the new configuration files.

Table 6-3 Choose Updates Parameters (continued)
Weekly Updates Weekly updates include vulnerability, QID map updates, and
security threat information. Using the drop-down list box, select
one of the following:
• Enabled - Allows weekly updates for your system. This is the
default.
• Disabled - Disables the option for your system to receive
weekly updates.
Minor Updates Minor updates include such items as additional on-line Help
content or updated scripts. Using the drop-down list box, select
one of the following options for minor updates:
minor updates.
• Download - Downloads the minor updates to the designated
download path location. See the readme file in the download
files for installation instructions.
• Install - Automatically installs minor updates on your system.
This is the default.
Major Updates Major updates require service interruptions to install. Major
updates include such items as updated JAR files. Using the
drop-down list box, select one of the following options for major
updates:
major updates. This is the default.
• Download - Downloads the major updates to the designated
download path location. See the readme file in the download
files for installation instructions.
DSM Updates Using the drop-down list box, select one of the following options
for DSM updates:
DSM updates.
• Download - Downloads the DSM updates to the designated
download path location. This is the default. See the readme
file in the download files for installation instructions.
Download Path Specify the directory path location to which you want to store
DSM, minor, and major updates. The default is
/store/configservices/staging/updates.
Step 5 Configure the server settings:

Table 6-4 Server Configuration Parameters
Webserver Specify the web server from which you want to obtain the
updates. The default web site is:
https://qmmunity.q1labs.com
Directory Specify the directory location on which you want to store the
updates. The default is autoupdates/.
Proxy Server Specify the URL for the proxy server.
Proxy Port Specify the port for the proxy server.
Proxy Username Specify the necessary username for the proxy server. A
username is only required if you are using an authenticated
proxy.
Proxy Password Specify the necessary password for the proxy server. A
password is only required if you are using an authenticated
proxy.
Step 6 Configure the update settings:
Table 6-5 Update Settings Parameters
Deploy changes Select the check box if you want to deploy update changes
automatically. If the check box is clear, a system notification
appears in the Dashboard indicating that you must deploy
changes. By default, the check box is clear.
Send feedback Select the check box if you want to send feedback to Q1 Labs
regarding the update. Feedback is sent automatically using a
web form if any errors occur with the update. By default, the
check box is clear.
Backup Retention Specify the length of time, in days, that you want to store files
Period (days) that may be replaced during the update process. The files will be
stored in the location specified in the Backup Location
parameter. The default is 30 days. The minimum is 1 day and the
maximum is 65535.
Backup Location Specify the location that you want to store backup files.

Step 7 Configure the schedule for updates:
Table 6-6 Schedule Update Parameters
Schedule Update Using the drop-down list box, select the frequency you want to
Frequency receive updates. The options are Disabled, Weekly, Monthly, or
Daily. The default is daily.
Hour Using the drop-down list box, select the time of day you want
your system to update. The default is 1 am.
Week Day This option is only available if you select Weekly as the update
frequency. Using the drop-down list box, select the day of the
week you want to receive updates. The default is Monday.
Month Day This option is only active when you select Monthly as the update
frequency. Using the drop-down list box, select the day of the
month you want to receive updates. The default is 1.
Step 8 Click Save.

If you selected the Deploy Changes check box in Step 6, the updates are
enforced through your deployment. Once the automatic update process is
complete, a system notification appears in the Dashboard and information appears
in the Log field. For more information about the Dashboard, see the QRadar Users
Guide.
Updating Your Files You can update your files, whenever necessary, using the Auto Update window.
On-Demand
To update your files:
Step 3 Click the Auto Update icon.
The Auto Update Configuration window appears.
Step 4 In the Update Method drop-down list box, select the method you want to use for
updating your files:
• Auto Integrate - Integrates the new configuration files with your existing files to
maintain the integrity of your information.
• Auto Update - Replaces your existing configuration files with the new
configuration files.
Step 5 Click Save and Update Now.
Your views are updated.


If you selected the Deploy Changes check box, the updates are enforced through
your deployment. Once the automatic update process is complete, a system
notification appears in the Dashboard. For more information, see the QRadar
Users Guide.
Configuring To configure system settings:

System Settings
Step 3 Click the System Settings icon.
The System Settings window appears.
Step 4 Enter values for the parameters:
Table 6-7 System Settings Parameters
System Settings
Administrative Email Specify the e-mail address of the designated system
Address administrator. The default is root@localhost.
Alert Email From Address Specify the e-mail address from which you want to
receive e-mail alerts. This address appears in the From
field of the e-mail alerts. A valid address is required by
most e-mail servers. The default is
root@<hostname.domain>.
Resolution Interval Length Resolution interval length determines at what interval the
QFlow Collectors and Event Collectors send bundles of
information to the Console. Specify the interval length, in
minutes.The options include:
• 30 seconds
• 1 minute (default)
• 2 minutes
Note: If you select the 30 seconds option, results are
displayed in the user interface as the data enters the
system. However, with shorter intervals, the volume of
time series data is larger and the system may experience
delays in processing the information.
Delete Root Mail Root mail is the default location for host context
messages. Specify one of the following:
• Yes - Delete the local administrator e-mail. This is the
default.
• No - Do not delete local administrator e-mail.

Table 6-7 System Settings Parameters (continued)
Temporary Files Specify the time period the system stores temporary files.
Retention Period The default storage location for temporary files is the
/store/tmp directory. The default is 6 hours. The minimum
is 6 hours and the maximum is 2 years.
Asset Profile Reporting Specify the interval, in seconds, that the database stores
Interval new asset profile information. The default is 900 seconds.
The minimum is 0 and the maximum is 4294967294.
Asset Profile Query Specify the period, in seconds, for an asset search to
Period process before a time-out occurs. The default is 86400.
VIS passive Asset Profile Specify the interval, in seconds, that the database stores
Interval all passive asset profile information. The default is 86,400
seconds. The minimum is 0 and the maximum is
4294967294.
TNC Recommendation Trusted Network Computing (TNC) recommendations
Enable enable you to restrict or deny access to the network
based on user name or other credentials. Specify one of
the following:
• Yes - Enables the TNC recommendation functionality.
• No - Disables the TNC recommendation functionality.
Coalescing Events Enables or disables the ability for a log source to coalesce
(bundle) events. This value applies to all log sources.
However, if you want to alter this value for a specific log
source, edit the Coalescing Event parameter in the log
source configuration. For more information, see the
Managing Log Sources Guide.
The default is Yes.
Store Event Payload Enables or disables the ability for a log source to store
event payload information. This value applies to all log
sources. However, if you want to alter this value for a
specific log source, edit the Event Payload parameter in
the log source configuration. For more information, see
the Log Sources Users Guide.
The default is Yes.
Global Iptables Access Specify the IP address of a non-Console system that does
not have iptables configuration to which you want to
enable direct access. To enter multiple systems, enter a
comma-separated list of IP addresses.
Syslog Event Timeout Specify the amount of time, in minutes, that the status of a
(minutes) syslog device is recorded as error if no events have been
received within the timeout period. The status appears in
the Log Sources window (for more information, see the
Log Sources Users Guide).
The default is 720 minutes (12 hours). The minimum
value is 0 and the maximum value is 4294967294.

Partition Tester Timeout Specify the amount of time, in seconds, for a partition test
(seconds) to perform before a time-out occurs. The default is 30.
The minimum is 0 and the maximum is The default is
86400. The minimum is 86400 and the maximum is The
default is 86400. The minimum is 86400 and the
maximum is 4294967294.
Database Settings
User Data Files Specify the location of the user profiles. The default is
/store/users.
Accumulator Retention - Using the drop-down list box, select the period of time you
Minute-By-Minute want to retain minute-by-minute data accumulations. The
default is 1 day. The minimum is 1 day and the maximum
is 2 years.
Every 60 seconds, the data is aggregated into a single
dataset.
Hourly want to retain hourly data accumulations. The default is 2
weeks. The minimum is 1 day and the maximum is 2
years.
At the end of every hour, the minute-by minute
datasets are aggregated into a single hourly dataset.
Daily want to retain daily data accumulations. The default is 33
day. The minimum is 1 day and the maximum is 2 years.
At the end of every day, the hourly datasets are
aggregated into a single daily dataset.
Offense Retention Period Using the drop-down list box, select the period of time you
want to retain closed offense information. The default is 3
days. The minimum is 1 day and the maximum is 2 years.
After the offense retention period has elapsed, closed
offenses are purged from the database.
Note: Offenses can be retained indefinitely as long as
they are not closed and they are still receiving events.
The magistrate automatically closes an offense if the
offense has not received an event for 5 days straight. This
5-day period is known as the dormant time. If an event is
received during the dormant time, the dormant time is
reset back to zero. Once an offense is closed either by
you or the magistrate, the Offense Retention Period
setting is applied.
Attacker History Retention Specify the amount of time that you want to store the
Period attacker history. The default is 6 months. The minimum is
1 day and the maximum is 2 years.
Ariel Database Settings

Flow Data Storage Specify the location that you want to store the flow log
Location information. The default location is /store/ariel/flows.
Note: This is a global setting, applied to all Consoles and
Flow Data Retention Specify the period of time you want to store flow data. The
Period default is 1 week. The minimum is 1 day and the
maximum is 2 years.
Asset Profile Storage Specify the location that you want to store asset profile
Location information. The default location is /store/ariel/hprof.
Asset Profile Retention Specify the period of time, in days, that you want to store
Period the asset profile information. The default is 30 days. The
minimum is 1 day and the maximum is 2 years.
Log Source Storage Specify the location that you want to store the log source
Location information. The default location is /store/ariel/events.
Note: This is a global setting, applied to Consoles and
Log Source Data Specify the amount of time that you want to store the log
Retention Period source data. The default is 30 days. The minimum is 1
day and the maximum is 2 years.
Search Results Retention Using the drop-down list box, select the amount of time
Period you want to store event and flow search results. The
default is 1 day. The minimum is 1 day and the maximum
is 3 months.
Maximum Real Time Specify the maximum number of results you want to view
Results in the Log Activity and Network Activity interfaces. The
default is 10,000. The minimum value is 0 and the
maximum value is 4294967294.
Reporting Max Matched Specify the maximum number of results you want a report
Results to return. This value applies to the search results in the
Offenses, Log Activity and Network Activity interfaces.
The default is 1,000,000. The minimum value is 0 and the
maximum value is 4294967294.
Command Line Max Specify the maximum number of results you want the
Matched Results AQL command line to return. The default is 0. The
minimum value is 0 and the maximum value is
4294967294.

Web Execution Time Limit Specify the maximum amount of time, in seconds, you
want a query in the interface to process before a time-out
occurs. This value applies to the search results in the
Offenses, Log Activity and Network Activity interfaces.
The default is 600 seconds. The minimum value is 0 and
the maximum value is 4294967294.
Reporting Execution Time Specify the maximum amount of time, in seconds, you
Limit want a reporting query to process before a time-out
occurs. The default is 57,600 seconds. The minimum
Command Line Execution Specify the maximum amount of time, in seconds, you
Time Limit want a query in the AQL command line to process before
a time-out occurs. The default is 0 seconds. The minimum
Web Last Minute (Auto Specify the maximum amount of time, in seconds, you
refresh) Execution Time want an auto refresh to process before a time-out occurs.
Limit The default is 10 seconds. The maximum is 40 seconds.
Flow Log Hashing Enables or disables the ability for QRadar to store a hash
file for every stored flow log file. The default is No.
Event Log Hashing Enables or disables the ability for QRadar to store a hash
file for every stored event log file. The default is No.

Hashing Algorithm You can use a hashing algorithm for database storage
and encryption. You can use one of the following hashing
algorithms:
• Message-Digest Hash Algorithm - Transforms digital
signatures into shorter values called Message-Digests
(MD).
• Secure Hash Algorithm (SHA) Hash Algorithm -
Standard algorithm that creates a larger (60 bit) MD.
Specify the log hashing algorithm you want to use for your
deployment. The options are:
• MD2 - Algorithm defined by RFC 1319.
• MD5 - Algorithm defined by RFC 1321.
• SHA-1 - Algorithm defined by Secure Hash Standard
(SHS), NIST FIPS 180-1. This is the default.
• SHA-256 - Algorithm defined by the draft Federal
Information Processing Standard 180-2, SHS.
SHA-256 is a 255-bit hash algorithm intended for 128
bits of security against security attacks.
SHA-384 is a bit hash algorithm is provided by
truncating the SHA-512 output.
SHA-512 is a bit hash algorithm intended to provide
256 bits of security.
Transaction Sentry Settings
Transaction Max Time A transaction sentry detects unresponsive applications
Limit using transaction analysis. If an unresponsive application
is detected, the transaction sentry attempts to return the
application to a functional state.
Using the drop-down list box, select the length of time you
want the system to check for transactional issues in the
database. The default is 10 minutes. The minimum is 1
minute and the maximum is 30 minutes.
Resolve Transaction on Using the drop-down list box, select whether you want the
Non-Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the Console or non-encrypted managed
hosts.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.

Resolve Transaction on Using the drop-down list box, select whether you want the
Encrypted Host transaction sentry to resolve all erroneous conditions
detected on the encrypted managed host.
If you select No, the conditions are detected and logged
but you must manually intervene and correct the error.
The default is Yes.
SNMP Settings
SNMP Version Using the drop-down list box, choose one of the following
options:
• Disabled - Specify if you do not want SNMP
responses in the QRadar custom rules engine.
Disabling SNMP indicates that you do not want to
accept events using SNMP.
• SNMPv3 - Specify if you want to use SNMP version 3
in your deployment.
• SNMPv2c - Specify if you want to use SNMP version 2
in your deployment.
SNMPv2c Settings
Destination Host Specify the IP address to which you want to send SNMP
notifications.
Destination Port Specify the port to which you want to send SNMP
notifications. The default is 162.
Community Specify the SNMP community, such as public.
SNMPv3 Settings
Destination Host Specify the IP address to which you want to send SNMP
notifications.
Destination Port Specify the port to which you want to send SNMP
notifications. The default is 162.
User Name Specify the name of the user you want to access SNMP
related properties.
Security Level Specify the security level for SNMP. The options are:
• NOAUTH_NOPRIV - Indicates no authorization and no
privacy. This the default.
• AUTH_NOPRIV - Indicates authorization is permitted
but no privacy.
• AUTH_PRIV - Allows authorization and privacy.
Authentication Protocol Specify the algorithm you want to use to authenticate
SNMP traps.
Authentication Password Specify the password you want to use to authenticate
SNMP.
Privacy Protocol Specify the protocol you want to use to decrypt SNMP
traps.

Privacy Password Specify the password used to decrypt SNMP traps.
Embedded SNMP Agent Settings
Enabled Enables or disables access to data from the SNMP Agent
using SNMP requests. The default is Yes.
Community String Specify the SNMP community, such as public. This
parameter only applies if you are using SNMPv2 and
SNMPv3.
IP Access List Specify the systems that can access data from the SNMP
agent using SNMP request. If the Enabled option is set to
Yes, this option is enforced.
Step 5 Click Save.

Step 6 From the Admin tab menu, select Advanced > Deploy Full Configuration.
Configuring You can configure system performance alerts for thresholds using the Admin tab.
System This section provides information for configuring your system thresholds.
Notifications
To configure system thresholds:
Step 3 Click the Global System Notifications icon.
The Global System Notifications window appears.
Step 4 Enter values for the parameters. For each parameter, you must select the following
options:
• Enabled - Select the check box to enable the option.
• Respond if value is - Specify one of the following options:
- Greater Than - An alert occurs if the parameter value exceeds the
configured value.
- Less Than - An alert occurs if the parameter value is less than the
configured value.
• Resolution Message - Specify a description of the preferred resolution to the
alert.
Table 6-8 Global System Notifications Parameters
User CPU usage Specify the threshold percentage of user CPU usage.

Configuring System Notifications 71
Table 6-8 Global System Notifications Parameters (continued)
Nice CPU usage Specify the threshold percentage of user CPU usage at
the nice priority.
System CPU usage Specify the threshold percentage of CPU usage while
operating at the system level.
Idle CPU usage Specify the threshold percentage of idle CPU time.
Percent idle time Specify the threshold percentage of idle time.
Run queue length Specify the threshold number of processes waiting for
run time.
Number of processes in Specify the threshold number of processes in the
the process list process list.
System load over 1 Specify the threshold system load average over the last
minute minute.
System load over 5 Specify the threshold system load average over the last 5
minutes minutes.
System load over 15 Specify the threshold system load average over the last
minutes 15 minutes.
Kilobytes of memory free Specify the threshold amount, in kilobytes, of free
memory.
Kilobytes of memory used Specify the threshold amount, in kilobytes, of used
memory. This does not consider memory used by the
kernel.
Percentage of memory Specify the threshold percentage of used memory.
used
Kilobytes of cached swap Specify the threshold amount of memory, in kilobytes,
memory shared by the system.
Kilobytes of buffered Specify the threshold amount of memory, in kilobytes,
memory used as a buffer by the kernel.
Kilobytes of memory used Specify the threshold amount of memory, in kilobytes,
for disc cache used to cache data by the kernel.
Kilobytes of swap memory Specify the threshold amount of free swap memory, in
free kilobytes.
Kilobytes of swap memory Specify the threshold amount, in kilobytes, of used swap
used memory.
Percentage of swap used Specify the threshold percentage of used swap space.
Number of interrupts per Specify the threshold number of received interrupts per
second second.
Received packets per Specify the threshold number of packets received per
second second.
Transmitted packets per Specify the threshold number of packets transmitted per
second second.
Received bytes per Specify the threshold number of bytes received per
second second.

Table 6-8 Global System Notifications Parameters (continued)
Transmitted bytes per Specify the threshold number of bytes transmitted per
second second.
Received compressed Specify the threshold number of compressed packets
packets received per second.
Transmitted compressed Specify the threshold number of compressed packets
packets transmitted per second.
Received multicast Specify the threshold number of received Multicast
packets packets per second.
Receive errors Specify the threshold number of corrupt packets received
per second.
Transmit errors Specify the threshold number of corrupt packets
transmitted per second.
Packet collisions Specify the threshold number of collisions that occur per
second while transmitting packets.
Dropped receive packets Specify the threshold number of received packets that
are dropped per second due to a lack of space in the
buffers.
Dropped transmit packets Specify the threshold number of transmitted packets that
are dropped per second due to a lack of space in the
buffers.
Transmit carrier errors Specify the threshold number of carrier errors that occur
per second while transmitting packets.
Receive frame errors Specify the threshold number of frame alignment errors
that occur per second on received packets.
Receive fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on received
packets.
Transmit fifo overruns Specify the threshold number of First In First Out (FIFO)
overrun errors that occur per second on transmitted
packets.
Transactions per second Specify the threshold number of transfers per second
sent to the system.
Sectors written per Specify the threshold number of sectors transferred to or
second from the system.
Step 5 Click Save.

Configuring the The QRadar Console provides the interface for QRadar. The Console provides
Console Settings real-time views, reports, alerts, and in-depth investigation of flows for network
traffic and security threats. You can also manage the Console to manage
distributed QRadar deployments.

You can access the Console from a standard web browser. When you access the
system, a prompt appears for a user name and password, which must be
configured in advance by the QRadar administrator. QRadar supports the following
web browsers:
• Internet Explorer 7.0 and 8.0
• Mozilla Firefox 3.6 and above
To configure QRadar Console settings:

Step 3 Click the Console icon.
The QRadar Console Settings window appears.

Table 6-9 QRadar Console Parameters
Console Settings
ARP - Safe Interfaces Specify the interface you want to be excluded from ARP
resolution activities.
Enable 3D graphs in the Using the drop-down list box, select one of the following:
user interface
• Yes - Displays graphics in 3-dimensional format in the
interface.
• No - Displays graphics in 2-dimensional format in the
interface.
Results Per Page Specify the maximum number of results you want to
display in the main QRadar interface. This parameter
applies to the Offenses, Log Activity, Assets, Network
Activity, and Reports interfaces. For example, if the
Default Page Size parameter is configured to 50, the
Offenses interface displays a maximum of 50 offenses.
The default is 40. The minimum is 0 and the maximum is
4294967294.
Authentication Settings
Persistent Session Specify the length of time, in days, that a user system will
Timeout (in days) be persisted. The default is 0, which disables this feature.
Maximum Login Failures Specify the number of times a login attempt may fail. The
default is 5. The minimum is 0 and the maximum is
4294967294.
Login Failure Attempt Specify the length of time during which a maximum login
Window (in minutes) failures may occur before the system is locked. The
default is 10 minutes. The minimum is 0 and the
Login Failure Block Time Specify the length of time that the system is locked if the
(in minutes) the maximum login failures value is exceeded. The
default is 30 minutes. The minimum is 0 and the
Login Host Whitelist Specify a list of hosts who are exempt from being locked
out of the system. Enter multiple entries using a
comma-separated list.
Inactivity Timeout (in Specify the amount of time that a user will be
minutes) automatically logged out of the system if no activity
occurs. The default is 0. The minimum is 0 and the
Login Message File Specify the location and name of a file that includes
content you want to appear on the QRadar login window.
This file may be in text or HTML format and the contents
of the file appear below the current log in window.

Table 6-9 QRadar Console Parameters (continued)
Event Permission Using the drop-down list box, specify the level of network
Precedence permissions you want to assign users. This affects the
events that appear in the Log Activity interface. The
options include:
• Network Only - A user must have access to either the
source network or the destination network of the event
to have the event appear in the Log Activity interface.
• Devices Only - A user must have access to either the
device or device group that created the event to have
the event appear in the Log Activity interface.
• Networks and Devices - A user must have access to
both the source or the destination network and the
device or device group to have an event appear in the
Log Activity interface.
• None - All events appear in the Log Activity interface.
Any user with Log Activity role permissions are able to
view all events.
Note: For more information on managing users, see
Chapter 2 Managing Users.
DNS Settings
Enable DNS Lookups for Enable or disable the ability for QRadar to search for DNS
Asset Profiles information in asset profiles. When enabled, this
information is available using the right-mouse button
(right-click) on the IP address or host name located in the
Host Name (DNS Name) field in the asset profile. The
default is False.
Enable DNS Lookups for Enable or disable the ability for QRadar to search for host
Host Identity identity information. When enabled, this information is
available using the right-mouse button (right-click) on any
IP address or asset name in the interface. The default is
True.
WINS Settings
WINS Server Specify the location of the Windows Internet Naming
Server (WINS) server.
Reporting Settings
Report Retention Period Specify the period of time, in days, that you want the
system to maintain reports. The default is 30 days. The
minimum is 0 and the maximum is 4294967294.
Data Export Settings
Include Header in CSV Specify whether you want to include a header in a CSV
Exports export file.
Maximum Simultaneous Specify the maximum number of exports you want to
Exports occur at one time. The default is 1. The minimum is 0 and
the maximum is 4294967294.

Step 5 Click Save.


You can configure authorized services in the Admin tab to pre-authenticate a

customer support service for your QRadar deployment. Authenticating a customer
support service allows the service to connect to your QRadar interface and either
dismiss or update notes to an offense using a web service. You can add or revoke
an authorized service at any time.
This chapter provides information for managing authorized services including:

• Viewing Authorized Services
• Adding an Authorized Service
• Revoking Authorized Services
• Configuring the Customer Support Service
Viewing Authorized To view authorized services for your QRadar deployment:

Services
Step 3 Click the Authorized Services icon.
The Manage Authorized Services window appears providing the following
information:
Table 7-1 Manage Authorized Services Parameters
Service Name Specifies the name of the authorized service.
Authorized By Specifies the name of the user or administrator that
authorized the addition of the service.
Authentication Token Specifies the token associated with this authorized service.
User Role Specifies the user role associated with this authorized
service.
Created Specifies the date that this authorized service was created.

Table 7-1 Manage Authorized Services Parameters (continued)
Expires Specifies the date and time that the authorized service will
expire. Also, this field indicates when a service has expired.
Step 4 To select a token from an authorized service, select the appropriate authorized
service. The token appears in the Selected Token field in the top bar. This allows
you to copy the desired token into your third-party application to authenticate with
QRadar.
Adding an To add an authorized service:

Authorized Service
The Manage Authorized Services window appears.
Step 4 Click Add Authorized Service.
The Add Authorized Service window appears.
Table 7-2 Add Authorized Services Parameters
Service Name Specify a name for this authorized service. The name can be
up to 255 characters in length.
User Role Using the drop-down list box, select the user role you want to
assign to this authorized service. The user roles assigned to
an authorized service determines the functionality in the
QRadar interface this service can access.
Expiry Date Specify a date you want this service to expire or select the No
Expiry check box if you do not want this service to expire. By
default, the authorized service is valid for 30 days.

Revoking Authorized Services 79
Step 6 Click Create Service.

A confirmation message appears. This message contains a token field that you
must copy into your third-party application to authenticate with QRadar. For more
information about setting up your third-party application to integrate with QRadar,
contact your system administrator.
Revoking To revoke an authorized service:

Authorized
Services
The Manage Authorized Services window appears.
Step 4 Select the service you want to revoke.
Step 5 Click Revoke Authorization.
Step 6 Click Ok.
Configuring the After you have configured an authorized service in QRadar, you must configure
Customer Support your customer support service to access QRadar offense information. For
Service example, you can configure QRadar to send an SNMP trap that includes the
offense ID information. Your service must be able to authenticate to QRadar using
the provided authorized token by passing the information through an HTTP query
string. Once authenticated, the service should interpret the authentication token as
the user name for the duration of the session.
Your customer support service must use a query string to update notes, dismiss, or
close an offense. This section includes:
• Dismissing an Offense
• Closing an Offense
• Adding Notes to an Offense
Dismissing an To dismiss an offense, your customer support service must use the following query
Offense string:
https://<IP address >/console/do/sem/properties?appName=Sem&
dispatch=updateProperties&id=<Offense ID>&nextPageId=
OffenseList&nextForward=offensesearch&attribute=dismiss&daoName
=offense&value=1&authenticationToken=<Token>

Where:
<IP address> is the IP address of your QRadar system.
<Offense ID> is the identifier assigned to the QRadar offense. To obtain the
offense ID, see the Offenses interface. For more information, see the QRadar
Users Guide.
<Token> is the token identifier provided to the authorized service in the QRadar
interface. For information on copying the token, see the QRadar Administration
Guide.
Closing an Offense To close an offense, your customer support service must use the following query
string:
https://<IP Address>/console/do/sem/propertiesappName=Sem&
OffenseList&nextForward=offensesearch&attribute=dismiss&daoName
=offense&value=2&authenticationToken=<Token>
Where:
Users Guide.
Guide.
Adding Notes to an To add notes to an offense, your customer support service must use the following
Offense query string:
https://<IP Address>/console/do/sem/properties?appName=Sem&
OffenseList&nextForward=offensesearch&attribute=notes&daoName
=offense&value=<NOTES>&authenticationToken=<Token>
Where:
Users Guide.
Guide.

7 MANAGING BACKUP AND
RECOVERY
You can backup and recover configuration information and data for QRadar.
Note: The restore process only restores your configuration information. For
assistance in restoring your data, see the Restoring Your Data Technical Note.
This chapter provides information on managing backup and recovery including:

• Managing Backup Archives
• Backing Up Your Information
• Restoring Your Configuration Information
Managing Backup Using the Admin tab, you can:

Archives • View your successful backup archives. See Viewing Backup Archives.
• Import an archive file. See Importing an Archive.
• Delete an archive file. See Deleting a Backup Archive.
Viewing Backup To view all successful backup archives:

Archives
Step 3 Click the Backup and Recovery icon.
The Backup Archives window appears providing the following information,
depending on the status of the backup processes:
• If there are no backup archives, a message appears indicating no backup
archives have been created.
• If a backup is in progress, a status window appears to indicate the duration of
the current backup, which user/process initiated the backup, and provides you
with the option to cancel the backup.
• If there are existing backup archives, the list of the successful backup archives
that exists in the database appears. If a backup file is deleted, it is removed

from the disk and from the database. Also, the entry is removed from this list
and an audit event is generated to indicate the removal. Each archive file
includes the data from the previous day. The list of archives is sorted by the
Time Initiated column in descending order.
The Backup Archives window provides the following information for each backup
archive:
Table 8-1 Backup Archive Window Parameters
Host Specifies the host that initiated the backup process.
Name Specifies the name of the backup archive. To download the
backup file, click the name of the backup.
Type Specifies the type of backup. The options are:
• config (configuration data)
• data (events, flows, and asset profile information)
Size Specifies the size of the archive file.
Time Initiated Specifies the time that the backup file was initiated.
Duration Specifies the time to complete the backup process.
Initialized By Specifies whether the backup file was created by a user or
through a scheduled process.
Importing an Archive To import a QRadar backup archive file:

The Backup Archives window appears.

Managing Backup Archives 83
Step 4 In the Upload Archive field, click Browse.

The File Upload window appears.
Step 5 Select the archive file you want to upload. The archive file must include a .tgz
extension. Click Open.
Step 6 Click Upload.
Deleting a Backup To delete a backup archive:

Archive
Note: To delete a backup archive file, the backup archive file and the Host Context
component must reside on the same system. The system must also be in
communication with the Console and no other backup can be in progress.
Step 4 Select the archive you want to delete.

Step 5 Click Delete.
Step 6 Click Ok.

Backing Up Your You can backup your configuration information and data using the Backup
Information Recovery Configuration window. By default, QRadar creates a backup archive of
your configuration information every night at midnight and the backup includes
configuration and/or data from the previous day.
You can backup your information using one of the following methods:
• Creating a configuration only backup. See Initiating a Backup.
• Scheduling a nightly backup. See Scheduling Your Backup.
• Copying a backup archive file to the system on which you want to restore the
archive. You can then restore the data. See Restoring Your Configuration
Information.
This section provides information on both methods of backing up your data

including:
• Scheduling Your Backup
• Initiating a Backup
Scheduling Your To schedule your backup process:

Backup
Step 4 Click Configure.
The Backup Recovery Configuration window appears.

Table 8-2 Backup Recovery Configuration Parameters
General Backup Configuration
Backup Specifies the location you want to store your backup file. This
Repository Path path must exist before the backup process is initiated. If this path
does not exist, the backup process aborts. The default is
/store/backup.
Note: If you modify this path, make sure the new path is valid on
every system in your deployment.
Hint: Active data is stored on the /store directory. If you have

both active data and backup archives stored in the same
directory, data storage capacity may easily be reached and
your scheduled backups may fail. We recommend you specify
a storage location on another system, or copy your backup
archives to another system after the backup process is
complete. You can use a Network File System (NFS) storage
solution in your QRadar deployment. For more information
about using NFS, see the Using the NFS for QRadar Backups
technical note.

Table 8-2 Backup Recovery Configuration Parameters (continued)
Backup Retention Specify the length of time, in days, that you want to store backup
Period (days) files. The default is 2 days.
Note: This period of time only affects backup files generated as a
result of a scheduled process. Manually initiated or imported
backup files are not affected by this value.
Nightly Backup Select one of the following options:
Schedule
• No Nightly Backups - Disables the creation of a backup
archive on a daily basis.
• Configuration Backup Only - Enables the creation of a daily
backup at midnight that includes configuration information
only.
• Configuration and Data Backups - Enables the creation of a
daily backup at midnight that includes configuration
information and data. If you select the Configuration and Data
Backups option, you can select the hosts you want to backup.
Once you select the host, you can select one of the following
options: Event Data, Flow Data, and Asset Profile Data.
Configuration backups includes the following components:
• Custom rules
• Flow and event searches
• Log sources
• Groups
• Flow sources
• Event categories
• Vulnerability data
• Device Support Modules (DSMs)
• User and user roles information
• License key information
• Custom logos
Data backups include the following information:
• Event data
• Flow data
• Asset profile data
• Report data
• Audit log information
• Data tables for offenses and assets
Configuration Only Backup

Table 8-2 Backup Recovery Configuration Parameters (continued)
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
(min) backup to process. The default is 180 minutes. If the backup
process exceeds the configured time limit, the backup will
automatically be canceled.
Backup Priority Specify the level of importance (LOW, MEDIUM, HIGH) that you
want the system to place on the configuration information backup
process compared to other processes. A priority of medium or
high will have a greater impact on system performance.
Data Backup
Backup Time Limit Specify the length of time, in minutes, that you want to allow the
(min) backup to process. The default is 1020 minutes. If the backup
process exceeds the configured time limit, the backup will
automatically be canceled.
Backup Priority Specify the level of importance (LOW, MEDIUM, HIGH) you want
the system to place on the data backup process compared to
other processes. A priority of medium or high will have a greater
impact on system performance.
Step 6 Click Save.

Initiating a Backup To manually initiate a backup for your configuration information:

Step 4 Click On Demand Backup.

The Create a Backup window appears.


• Name - Specify a unique name you want to assign to this backup file. The name
must be a maximum of 100 alphanumeric characters. Also, the name may
contain following characters: underscore (_), dash (-), or period (.).
• Description - Specify a description for this configuration backup. The name can
be up to 255 characters in length.
Step 6 Click Run Backup.
Step 7 Click OK.
Restoring Your You can restore configuration information from existing backup archives using the
Configuration Restore Backup window. You can only restore a backup archive created within the
Information same release of software. For example, if you are running QRadar 7.0, the backup
archive must of been created in QRadar 7.0.
You can restore configuration information in the following scenarios:

• Restore backup archive on a system that has the same IP address as the
backup archive. See Restoring on a System with the Same IP Address.
• Restore backup archive on system with a different IP address than the backup
archive. See Restoring to a System with a Different IP Address.
Note: If the backup archive originated on a NATed Console system, you can only
restore that backup archive on a NATed system.
Restoring on a To restore your configuration information on a system that has the same IP
System with the address as the backup archive:
Same IP Address


Step 4 Select the archive you want to restore.
Step 5 Click Restore.
The Restore a Backup window appears.
Step 6 To restore specific items in the archive:

a Clear the All Items check box.
The list of archived items appears.
b Select the check box for each item you want to restore.
A confirmation window appears. Each backup archive includes IP address
information of the system from which the backup archive was created.
Step 8 Click Ok.
The restore process begins. This process may take an extended period of time.
When complete, a message appears.
Step 9 Click Ok.
a If the QRadar interface was closed during the restore process, open a browser
and log in to QRadar.
b If the QRadar interface has not been closed, the login window appears. Log in
to QRadar.
A window appears providing the status of the restore process. This window
provides any errors for each host. This window also provides instructions for
resolving errors that have occurred.
Step 11 Follow the instructions on the status window.
Note: If the backup archive originated on an HA cluster, you must click Deploy
Changes to restore the HA cluster configuration after the restore is complete. If
disk replication is enabled, the secondary host immediately synchronizes data
once the system is restored. If the secondary host was removed from the
deployment after backup was performed, the secondary host displays a Failed
status in the System and License Management window.

Restoring to a To restore your configuration information on a system with a different IP address

System with a than the backup archive:
Different IP Address
Step 4 Select the archive you want to restore.
The Restore a Backup window appears. Since the IP address of the system on
which you want to restore the information does not match the IP address of the
backup archive, a message appears indicating that you must stop iptables on each
managed host in your deployment
Step 6 To restore specific items in the archive:

a Clear the All Items check box.
The list of archived items appears.
b Select the check box for each item you want to restore.
Step 7 Stop IP tables:
a Log into the managed host, as root.
b Enter the following command:
service iptables stop
c Repeat for all managed hosts in your deployment.
Step 8 In the Restore a Backup window, click Test Host Access.
The Restore a Backup (Managed Hosts Accessibility) window appears.

Table 8-3 provides the following information:

Table 8-3 Restore a Backup (Managed Host Accessibility Parameters
Host Name Specifies the managed host name.
IP Address Specifies the IP address of the managed host.
Access Status Specifies the access status to the managed host. The options
include:
• Testing Access - The test to determine access status is not
complete.
• No Access - The managed host can not be accessed.
• OK - The managed host is accessible.
Step 9 When the accessibility of all hosts is determined and the status in the Access
Status column indicates OK or No Access, click Restore.
The restore process begins.
Note: If the Access Status column indicates No Access for a host, stop iptables
(see Step 7) again and click Test Host Access to attempt a connection.
Step 10 Click Ok.
The restore process begins. This process may take an extended period of time.
Step 11 Click Ok.
a If the QRadar interface has been closed during the restore process, open a
browser and log in to QRadar.
b If the QRadar interface has not been closed, the login window appears. Log in
to QRadar.
A window appears providing the status of the restore process. This window
provides any errors for each host. This window also provides instructions for
resolving errors that have occurred.
Step 13 Follow the instructions on the status window.

Note: If the backup archive originated on an HA cluster, you must click Deploy
Changes to restore the HA cluster configuration after the restore is complete. If
disk replication is enabled, the secondary host immediately synchronizes data
once the system is restored. If the secondary host was removed from the
deployment after backup was performed, the secondary host displays a Failed
status in the System and License Management window.

The deployment editor allows you to manage the individual components of your
QRadar and SIEM deployment. Once you configure your Event and System
Views, you can access and configure the individual components of each managed
host.
Note: The Deployment Editor requires Java Runtime Environment (JRE). You can
download Java 1.6.0_u20 at the following web site: www.java.com. Also, If you are
using the Firefox browser, you must configure your browser to accept Java
Network Language Protocol (JNLP) files.
Caution: Many third-party web browsers that use the Internet Explorer engine,
such as Maxthon or MyIE, install components that may be incompatible with the
Admin tab interface. You may have to disable any third-party web browsers
installed on your system. For further assistance, please contact customer support.
If you want to access the deployment editor from behind a proxy server or firewall,
you must configure the appropriate proxy settings on your desktop. This allows the
software to automatically detect the proxy settings from your browser. To configure
the proxy settings, open the Java configuration located in your Control Panel and
configure the IP address of your proxy server. For more information on configuring
proxy settings, see your Microsoft documentation.
This chapter provides information on managing your views including:

• About the Deployment Editor
• Building Your Event View
• Managing Your System View
• Configuring QRadar Components

About the You can access the deployment editor using the Admin tab. You can use the
Deployment Editor deployment editor to create your deployment, assign connections, and configure
each component.
The deployment editor provides the following views of your deployment:

• System View - Allows you to assign software components, such as a QFlow
Collector, to systems (managed hosts) in your deployment. The System View
includes all managed hosts in your deployment. A managed host is a system in
your deployment that has QRadar software installed. By default, the System
View also includes the following components:
- Host Context - Monitors all QRadar components to ensure that each
component is operating as expected.
- Accumulator - Resides on the host that contains an Event Processor to
assist with analyzing flows, events, reporting, writing database data and
alerting a DSM.
• Event View - Allows you to create a view for your components including QFlow
Collectors, Event Processors, Event Collectors, Off-site Sources, Off-site
Targets and Magistrate components.
Each view is divided into two panels.
In the Event View, the left panel provides a list of components you can add to the
view and the right panel provides an existing view of your deployment.

In the System View, the left panel provides a list of managed hosts, which you can
view and configure. The deployment editor polls your deployment for updates to
managed hosts. If the deployment editor detects a change to a managed host in
your deployment, a message appears notifying you of the change. For example, if
you remove a managed host, a message appears indicating that the assigned
components to that host must be re-assigned to another host. Also, if you add a
managed host to your deployment, the deployment editor displays a message
indicating that the managed host has been added.
Accessing the In the Admin tab, click Deployment Editor. The deployment editor appears. Once
Deployment Editor you update your configuration settings using the deployment editor, you must save
those changes to the staging area. You must manually deploy all changes using
the Admin tab menu option. All deployed changes are then enforced throughout
your deployment.
Using the Editor The deployment editor provides you with several menu and toolbar options when
configuring your views including:
• Menu Options
• Toolbar Options
Menu Options
The menu options that appear depend on the selected component in your view.
Table 9-1 provides a list of the menu options and the component for which they
appear.
Table 9-1 Deployment Editor Menu Options
Menu Option Sub Menu Option Description

File Save to staging Saves deployment to the staging area.
Save and close Saves deployment to the staging area and
closes the deployment editor.
Open staged Opens a deployment that was previously
deployment saved to the staging area.
Open production Opens a deployment that was previously
deployment saved.
Close current Closes the current deployment.
deployment
Revert Reverts current deployment to the
previously saved deployment.
Edit Preferences Opens the preferences window.
Close editor Closes the deployment editor.
Edit Delete Deletes a component, host, or connection.

Table 9-1 Deployment Editor Menu Options (continued)
Menu Option Sub Menu Option Description

Actions Add a managed host Opens the Add a Managed Host wizard.
Manage NATed Opens the Manage NATed Networks
Networks window, which allows you to manage the list
of NATed networks in your deployment.
Rename component Renames an existing component.
This option is only available when a
component is selected.
Configure Configures QRadar components.
This option is only available when a QFlow
Collector, Event Collector, Event Processor,
or Magistrate is selected.
Assign Assigns a component to a managed host.
This option is only available when a QFlow
Collector, Event Collector, Event Processor,
or Magistrate is selected.
Unassign Unassigns a component from a managed
host.
This option is only available when the
selected component has a managed host
running a compatible version of QRadar
software. This option is only available when
a QFlow Collector is selected.
Toolbar Options
The toolbar options include:
Table 9-2 Toolbar Options
Button Description
Saves deployment to the staging area and closes the deployment editor.
Opens current production deployment.
Opens a deployment that was previously saved to the staging area.
Discards recent changes and reloads last saved model.
Deletes selected item from the deployment view.

This option is only available when the selected component has a managed
host running a compatible version of QRadar software.

Table 9-2 Toolbar Options (continued)
Button Description
Opens the Add a Managed Host wizard, which allows you to add a
managed host to your deployment.
Opens the Manage NATed Networks window, which allows you to manage
the list of NATed networks in your deployment.
Resets the zoom to the default.
Zooms in.
Zooms out.
Building Your To create your deployment, you must:

Deployment
Step 1 Build your Event View. See Building Your Event View.
Step 2 Build your System View. See Managing Your System View.
Step 3 Configure components. See Configuring QRadar Components.
Step 4 Stage the deployment. From the deployment editor menu, select File > Save to
Staging.
Step 5 Deploy all configuration changes. From the Admin tab menu, select Advanced >
Deploy Changes.
For more information on the Admin tab, see Chapter 1 Overview.
Before you Begin Before you begin, you must:

• Install all necessary hardware and QRadar software.
• Install the Java Runtime Environment (JRE). You can download Java 1.6.0_u20
at the following web site: www.java.com.
• If you are using the Firefox browser, you must configure your browser to accept
Java Network Language Protocol (JNLP) files.
• Plan your QRadar deployment including the IP addresses and login information
for all devices in your QRadar deployment.
Note: If you require assistance with the above, please contact Q1 Labs Customer
Support.

Viewing Deployment To view the deployment editor preferences select File > Edit Preferences.
Editor Preferences The Deployment Editor Setting window appears.
• Presence Poll Frequency - Specify how often, in milliseconds, that the

managed host monitors your deployment for updates, for example, a new or
updated managed host.
• Zoom Increment - Specify the increment value when the zoom option is
selected. For example. 0.1 indicates 10%.
Building Your The Event View allows you to create and manage the components for your
Event View deployment including:
• QFlow Collector - Collects data from devices and various live and recorded
feeds, such as network taps, span/mirror ports, NetFlow, and QRadar flow logs.
The QFlow Collector then groups related individual packets into a flow. A flow
starts when the QFlow Collector detects the first packet with a unique source IP
address, destination IP address, source port, and destination port as well as
other specific protocol options, which may determine the start of a
communication. Each additional packet is evaluated and counts of bytes and
packets are added to the statistical counters in the flow record. At the end of an
interval, a status record of the flow is sent to an Event Collector and statistical
counters for the flow are reset. A flow ends when no activity for the flow is seen
within the configured period of time.
Flow reporting generates records of all the active or expired flows during a
specified period of time. QRadar defines these flows as a communication
session between two pairs of unique IP address/ports that use the same
protocol. If the protocol does not support port-based connections, QRadar
combines all packets between the two hosts into a single flow record. However,
a QFlow Collector does not record flows until a connection is made to another
QRadar component and data is retrieved.
• Event Collector - Collects security events from various types of security
devices in your network. The Event Collector gathers events from local, remote,
and device sources. The Event Collector then normalizes the events and sends
the information to the Event Processor. The Event Collector also bundles all
virtually identical events to conserve system usage.

• Event Processor - An Event Processor processes event and flow data from
the Event Collector. The events are bundled to conserve network usage. Once
received, the Event Processor correlates the information from QRadar and
distributes to the appropriate area, depending on the type of event. The Event
Processor also includes information gathered by QRadar to indicate any
behavioral changes or policy violations for that event. Rules are then applied to
the events that allow the Event Processor to process according to the
configured rules. Once complete, the Event Processor sends the events to the
Magistrate.
The Event Processor can be connected to the magistrate on a Console or
connected to another Event Processor in your deployment. The Accumulator is
responsible for gathering flow and event information from the Event Processor.
Note: The Event Processor on the Console is always connected to the magistrate.
This connection cannot be deleted.
See Figure 9-1 for an example QRadar deployment that includes SIEM
components.
• Off-site Source - Indicates an off-site event or flow data source that forwards
normalized data to an Event Collector. You can configure an off-site source to
receive flows or events and allows the data to be encrypted before forwarding.
• Off-site Target - Indicates an off-site device that receives event or flow data.
An off-site target can only receive data from an Event Collector.
• Magistrate - The Magistrate component provides the core processing
components of the security information and event management (SIEM) system.
You can add one Magistrate component for each deployment. The Magistrate
provides views, reports, alerts, and analysis of network traffic and security
events. The Magistrate processes the events or flows against the defined
custom rules to create an offense. If no custom rules exist, the Magistrate uses
the default rule set to process the offending event or flow. An offense is an
event or flow that has been processed through QRadar using multiple inputs,
individual events or flows, and events or flows combined with analyzed
behavior and vulnerabilities. Magistrate prioritizes the offenses and assigns a
magnitude value based on several factors, including the amount of offenses,
severity, relevance, and credibility.
Once processed, Magistrate produces a list for each source, providing you with
a list of attackers and their offense for each event or flow. Once the Magistrate
establishes the magnitude, Magistrate then provides multiple options for
resolution.
By default, the Event View includes a Magistrate component. Figure 9-1 shows an
example of QRadar deployment that includes SIEM components. The example
shows a QFlow Collector, an Event Collector, and an Event Processor connected

to the Magistrate, which allows for the collection, categorizing and processing of
flow and event information.
Figure 9-1 Example of SIEM Components in your QRadar Deployment
To build your Event View:

Step 1 Add SIEM components to your view. See Adding Components.
Step 2 Connect the components. See Connecting Components.
Step 3 Connect deployments. See Forwarding Normalized Events and Flows.
Step 4 Rename the components so each component has a unique name. See Renaming
Components.
Adding Components You can add the following QRadar components to your Event View:
• Event Collector - The Event Collector gathers events from local, remote, and
device sources.
• Event Processor - An Event Processor processes events and flows collected
from an Event Collector.
• Off-site Source - Indicates an off-site event or flow data source that forwards
normalized data to an Event Collector. The off-site source can be configured to
receive flows or events and allows the data to be encrypted before forwarding.

• Off-site Target - Indicates an off-site target to receive event or flow data. An

off-site target can only receive data from an Event Collector.
• QFlow Collector - Collects flow data from devices and various live and
recorded feeds.
Note: The procedures in the section provide information on adding QRadar

components using the Event View.
You can also add components using the System View. For information on the
System View, see Managing Your System View.
To add components to your Event View:

Step 1 In the Admin tab, click Deployment Editor.
The Event View appears.
Step 2 In the Event Tools panel, select a component you want to add to your deployment.
The Adding a New Component Wizard appears.
Step 3 Enter a unique name for the component you want to add. The name can be up to
20 characters in length and may include underscores or hyphens. Click Next.
The Assign Component window appears.

Step 4 From the Select a host to assign to list box, select a managed host to which you
want to assign the new component. Click Next.
Step 6 Repeat for each component you want to add to your view.
Step 7 From the main menu, select File > Save to staging.
Step 8 From the Admin tab menu, select Deploy Changes.
Connecting Once you add all the necessary components in your Event View, you must connect
Components them together. The Event View only allows you to connect appropriate components
together. For example, you can connect an Event Collector to an Event Processor
and not a Magistrate component.
To connect components:
Step 1 In the Event View, select the component for which you want to establish a
connection.
Step 2 From the menu, select Actions > Add Connection.
Note: You can also use the right mouse button (right-click) to access the Action
menu item.
An arrow appears in your map.
Step 3 Drag the end of the arrow to the component on which you want to establish a
connection. Table 9-3 provides a list of components you are able to connect.

Table 9-3 Component Connections
You can connect a... To Connection Guide

QFlow Collector Event Collector A QFlow Collector can only be
connected to an Event Collector.
The number of connections is not
restricted.
Event Collector Event Processor An Event Collector can only be
connected to one Event Processor.
An Event Collector that belongs to
a Console can only be connected
to Console Event Processor. This
connection cannot be removed.
A non-Console Event Collector can
be connected to an Event
Processor on the same system.
A non-Console Event Collector can
be connected to a remote Event
Processor, but only if the Event
Processor does not already exist
on the Console.
Event Collector Off-site Target The number of connections is not
restricted.
Off-site Source Event Collector The number of connections is not
restricted.
An Event Collector connected to an
Event only appliance cannot
receive an off-site connection from
system hardware that has the
Receive Flows feature enabled.
An Event Collector connected to a
QFlow only appliance cannot
receive an off-site connection from
a remote system if the hardware
has receive events feature
enabled.
Event Processor Magistrate (MPC) Only one Event Processor can
connect to a Magistrate (MPC).

Table 9-3 Component Connections (continued)
You can connect a... To Connection Guide

Event Processor Event Processor A Console Event Processor cannot
connect to a non-Console Event
Processor.
A non-Console Event Processor
can be connected to another
Console or non-Console Event
Processor, but not both at the
same time.
A non-Console Event Processor
will be connected to a Console
Event Processor when a
non-Console managed host is
added.
The arrow represents a connection between two components.

Step 4 Repeat for all remaining components that you want to establish a connection.
Forwarding To forward normalized events and flows, you must configure an off-site Event
Normalized Events Collector (target) in your current deployment to receive events and flows from an
and Flows associated off-site Event Collector in the receiving deployment (source).
You can add the following components to your Event View:

• Off-site Source - Indicates an off-site Event Collector from which you want to
receive event and flow data. The source must be configured with appropriate
permissions to send event or flow data to the off-site target.
• Off-site Target - Indicates an off-site Event Collector to which you want to send
event data.
For example, if you want to forward normalized events between two deployments
(A and B), where deployment B wants to receive events from deployment A you
must configure deployment A with an off-site target to provide the IP address of the
managed host that includes Event Collector B. You must then connect Event
Collector A to the off-site target. In deployment B, you must configure an off-site
source with the IP address of the managed host that includes Event Collector A
and the port to which Event Collector A is monitoring.
If you want to disconnect the off-site source, you must remove the connections
from both deployments. From deployment A, you must remove the off-site target
and in deployment B, you must remove the off-site source.
If you want to enable encryption between deployments, you must enable

encryption on both off-site source and target. Also, you must ensure the SSH
public key for the off-site source (client) is available to the target (server) to ensure
appropriate access. For example, in the example below, if you want to enable
encryption between the off-site source and Event Collector B, you must copy the

public key (located at /root/.ssh/id_rsa.pub) from the off-site source to Event

Collector B (add the contents of the file to /root/.ssh/authorized_keys).
Figure 9-2 Forwarding events between deployments using SSH.
Note: If the off-site source/target is an all-in-one system, the public key is not
automatically generated, therefore, you must manually generate the public key.
For more information on generating public keys, see your Linux documentation.
To forward normalized events and flows:

Step 2 In the Components panel, select either Off-site Source or Off-site Target.

Step 3 Specify a unique name for the off-site source or off-site target. The name can be up
to 20 characters in length and may include underscores or hyphens. Click Next.
The event source/target information window appears.

• Enter a name for the off-site host - Specify the name of the off-site host. The
name can be up to 20 characters in length and may include underscores or
hyphens.

• Enter the IP address of the server - Specify the IP address of the managed
host to which you want to connect.
• Receive Events - Select the check box if you want the off-site host to receive
events.
• Receive Flows - Select the check box if you want the off-site host to receive
flows.
• Encrypt traffic from off-site source - Select the check box if you want to
encrypt traffic from an off-site source. To enable encryption, you must select
this check box on the associated off-site source and target.
Step 5 Click Next.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the main menu, select File > Save to staging.
Step 9 From the Admin tab menu, select Advanced > Deploy Changes.
Note: If you update your Event Collector configuration or the monitoring ports, you
must manually update your source and target configurations to maintain the
connection between deployments.
Renaming You may want to rename a component in your view to uniquely identify
Components components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename Component.
menu items.
The Rename component window appears.
Step 3 Enter a new name for the component. The name must be alphanumeric with no
special characters.
Step 4 Click Ok.

Managing Your The System View allows you to manage all managed hosts in your network. A
System View managed host is a component in your network that includes QRadar software. If
you are using a QRadar appliance, the components for that appliance model
appear. If your QRadar software is installed on your own hardware, the System
View includes a Host Context component. The System View allows you to select
which component(s) you want to run on each managed host.
Using the System View, you can:

• Set up managed hosts in your deployment. See Setting Up Managed Hosts.
• Use QRadar with NATed networks in your deployment. See Using NAT with
QRadar.
• Update the managed host port configuration. See Configuring a Managed
Host.
• Assign a component to a managed host. See Assigning a Component to a
Host.
• Configure Host Context. See Configuring Host Context.
• Configure Accumulator. See Configuring an Accumulator.
Setting Up Managed Using the deployment editor, you can manage all hosts in your deployment
Hosts including:
• Add a managed host to your deployment. See Adding a Managed Host.
• Edit an existing managed host. See Editing a Managed Host.
• Remove a managed host. See Removing a Managed Host.
When adding a managed host, you can also enable encryption between managed
hosts running at least QRadar 5.1. The deployment editor determines the version
of QRadar software running on a managed host. You can only add a managed
host to your deployment when the managed host is running a compatible version
of QRadar software. For more information, contact Q1 Labs Customer Support.
You cannot assign or configure components on a non-Console managed host

when the QRadar software version is incompatible with the software version that
the Console is running. If a managed host has previously assigned components
and is running an incompatible software version, you can still view the
components, however, you are not able to update or delete the components.
Note: To enable SSH encryption between two managed hosts, each managed
host must be running at least QRadar 5.1.
Encryption provides greater security for all QRadar traffic between managed hosts.
To provide enhanced security, QRadar also provides integrated support for
OpenSSH and attachmateWRQ Reflection SSH software. Reflection SSH
software provides a FIPS 140-2 certified encryption solution. When integrated with

QRadar, Reflection SSH provides secure communication between QRadar

components. For information on Reflection SSH, see www.wrq.com/products.
Note: You must have Reflection SSH installed on each managed host you want to
encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other
SSH software, such as, OpenSSH.
Since encryption occurs between managed hosts in your deployment, your

deployment must consist of more than one managed host before encryption is
possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from
the client. A client is the system that initiates a connection in a client/server
relationship. When encryption is enabled for a managed host, encryption tunnels
are created for all client applications on a managed host to provide protected
access to the respective servers. If you enable encryption on a non-Console
managed host, encryption tunnels are automatically created for databases and
other support service connections to the Console.
Figure 9-3 shows the movement of traffic within a QRadar deployment including
flows and event traffic. The figure also displays the client/server relationships
within the deployment. When enabling encryption on a managed host, the
encryption SSH tunnel is created on the client’s host. For example, if you enable
encryption for the Event Collector in the deployment depicted in the figure below,
the connection between the Event Processor and Event Collector as well as the
connection between the Event Processor and Magistrate would be encrypted. The
below figure also displays the client/server relationship between the Console and
the Ariel database. When you enable encryption on the Console, an encryption
tunnel is used when performing event searches through the Offenses interface.
Note: You can also use the right mouse button (right-click) to enable encryption
between components.
Note: Enabling encryption reduces the performance of a managed host by at least

50%.

Figure 9-3 Encryption Tunnels
Adding a Managed Host

To add a managed host:
Note: Before you add a managed host, make sure the managed host includes
QRadar software.
Step 1 From the menu, select Actions > Add a managed host.
The Add new host wizard appears.
Step 2 Click Next.

The Enter the host’s IP window appears.

• Enter the IP of the server or appliance to add - Specify the IP address of the
host you want to add to your System View.
• Enter the root password of the host - Specify the root password for the host.
• Confirm the root password of the host - Specify the password again, for
confirmation.
• Host is NATed - Select the check box if you want to use an existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with QRadar.
Note: If you want to enable NAT for a managed host, the NATed network must be
using static NAT translation. For more information on using NAT, see Using NAT
with QRadar.
• Enable Encryption - Select the check box if you want to create an SSH
encryption tunnel for the host. To enable encryption between two managed
hosts, each managed host must be running at least QRadar 5.1.
• Enable Compression - Select the check box to enable data compression
between two managed hosts, each managed host must be running at least
QRadar 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 4. Otherwise, go to Step 5.
Note: If you want to add a non-NATed managed host to your deployment when the
Console is NATed, you must change the Console to a NATed host (see Changing

the NAT Status for a Managed Host) before adding the managed host to your
deployment.
Step 4 To select a NATed network, enter values for the following parameters:
• Enter public IP of the server or appliance to add - Specify the public IP
address of the managed host. The managed host uses this IP address to
communicate with another managed host that belongs to a different network
using NAT.
• Select NATed network - Using the drop-down list box, select the network you
want this managed host to use.
- If the managed host is on the same subnet as the Console, make sure you
select the Console of the NATed network.
- If the managed host is not on the same subnet as the Console, make sure
select managed host of the NATed network.
Note: For information on managing your NATed networks, see Using NAT with
QRadar.
Step 5 Click Next.
Note: If your deployment included undeployed changes, a window appears
enabling you to deploy all changes.
The System View appears with the host in the Managed Hosts panel.
Editing a Managed Host

To edit an existing managed host:
Step 1 Click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host.
The Edit a managed host wizard appears.
Note: This option is only available when the selected component has a managed

Step 3 Click Next.

The attributes window appears.
Step 4 Edit the following values, as necessary:

• Host is NATed - Select the check box if you want to use existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with QRadar.
using static NAT translation. For more information on using NAT, see Using NAT
with QRadar.

• Enable Encryption - Select the check box if you want to create an encryption
tunnel for the host. To enable encryption between two managed hosts, each
managed host must be running at least QRadar 5.1.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 5. Otherwise, go to Step 6.
• Enter public IP of the server or appliance to add - Specify the public IP
using NAT.
Note: For information on managing your NATed networks, see Using NAT with
QRadar.
Step 6 Click Next.
The System View appears with the updated host in the Managed Hosts panel.
Removing a Managed Host

You can only remove non-Console managed hosts from your deployment. You
cannot remove a managed host that is hosting the QRadar Console.
To remove a managed host:

Step 2 Use the right mouse button (right-click) on the managed host you want to delete
and select Remove host.
Note: This option is only available when the selected component has a managed
Step 3 Click Ok.
Using NAT with Network Address Translation (NAT) translates an IP address in one network to a
QRadar different IP address in another network. NAT provides increased security for your
deployment since requests are managed through the translation process and
essentially hides internal IP addresses.
Before you enable NAT for a QRadar managed host, you must set up your NATed
networks using static NAT translation. This ensures communications between
managed hosts that exist within different NATed networks. For example, in
Figure 9-4 the QFlow 1101 in Network 1 has an internal IP address of
10.100.100.1. When the QFlow 1101 wants to communicate with the Event
Collector in Network 2, the NAT router translates the IP address to 192.15.2.1.

Figure 9-4 Using NAT with QRadar
Note: Your static NATed networks must be set up and configured on your network
before you enable NAT using QRadar. For more information, see your network
administrator.
You can add a non-NATed managed host using inbound NAT for a public IP
address. You can also use a dynamic IP address for outbound NAT. However, both
must be located on the same switch as the Console or managed host. You must
configure the managed host to use the same IP address for the public and private
IP addresses.
When adding or editing a managed host, you can enable NAT for that managed
host. You can also use the deployment editor to manage your NATed networks
including:
• Adding a NATed Network to QRadar
• Editing a NATed Network
• Deleting a NATed Network From QRadar
• Changing the NAT Status for a Managed Host
Adding a NATed Network to QRadar

To add a NATed network to your QRadar deployment:
Step 1 In the deployment editor, click the NATed networks button.
Note: You can also use the Actions > Manage NATed Networks menu option to
access the Manage NATed Networks window.
The Manage NATed Networks window appears.

Step 2 Click Add.

The Add New Nated Network window appears.
Step 3 Enter a name of a network you want to use for NAT.

Step 4 Click Ok.
The Manage NATed Networks window appears with the added NATed network.
Step 5 Click Ok.
Step 6 Click Yes.
Editing a NATed Network

To edit a NATed network:
Step 1 In the deployment editor, click the NATed networks icon.
Step 2 Select the NATed network you want to edit. Click Edit.

The Edit NATed Network window appears.
Step 3 Update the name of the network you want to use for NAT.
Step 4 Click Ok.
The Manage NATed Networks window appears with the updated NATed networks.
Step 5 Click Ok.
Step 6 Click Yes.
Deleting a NATed Network From QRadar

To delete a NATed network from your deployment:
Step 1 In the deployment editor, click the NATed networks icon.
Step 2 Select the NATed network you want to delete.
Step 4 Click Ok.
Step 5 Click Yes.
Changing the NAT Status for a Managed Host

To change your NAT status for a managed host, make sure you update the
managed host configuration within QRadar before you update the device. This
prevents the host from becoming unreachable and allows you to deploy changes
to that host.
To change the status of NAT (enable or disable) for an existing managed host:
Step 1 In the deployment editor, click the System View tab.
Step 2 Use the right mouse button (right-click) on the managed host you want to edit and
select Edit Managed Host.
The Edit a managed host wizard appears.
Step 3 Click Next.

The networking and tunneling attributes window appears.

Step 4 Choose one of the following:
a If you want to enable NAT for the managed host, select the check box. Go to
Step 5
using static NAT translation.
b If you want to disable NAT for the managed host, clear the check box. Go to
Step 6
• Change public IP of the server or appliance to add - Specify the public IP
using NAT.
• Manage NATs List - Update the NATed network configuration. For more
information, see Using NAT with QRadar.
Step 6 Click Next.
The System View appears with the updated host in the Managed Hosts panel.
Note: Once you change the NAT status for an existing managed host error
messages may appear. Ignore all error messages.
Step 8 Update the configuration for the device (firewall) to which the managed host is
communicating.
Configuring a To configure a managed host:

Managed Host
Step 1 From the System View, use the right mouse button (right-click) on the managed
host you want to configure and select Configure.
The Configure host window appears.


• Minimum port allowed - Specify the minimum port for which you want to
establish communications.
• Maximum port allowed - Specify the maximum port for which you want to
establish communications.
• Ports to exclude - Specify the port you want to exclude from communications.
You can enter multiple ports you want to exclude. Separate multiple ports using
a comma.
Step 3 Click Save.
Assigning a You can assign the QRadar components added in the Event Views to the
Component to a Host managed hosts in your deployment.
Note: This section provides information on assigning a component to a host using

the System View, however, you can also assign components to a host in the Event
View.
To assign a host:
Step 2 From the Managed Host list, select the managed host to which you want to assign
a QRadar component.
The System View of the host appears.
Step 3 Select the component you want to assign to a managed host.
Step 4 From the menu, select Actions > Assign.
Note: You can also use the right mouse button (right-click) to access the Actions
menu items.
The Assign component wizard appears.

Step 5 From the Select a host to assign to drop-down list box, select the host that you
want to assign to this component. Click Next.
Note: The drop-down list box only displays managed hosts that are running a
compatible version of QRadar software.
Configuring Host The Host Context component monitors all QRadar components to make sure that
Context each component is operating as expected.
To configure Host Context:

The System View appears.
Step 2 Select the managed host that includes the host context you want to configure.
Step 3 Select the Host Context component.
Step 4 From the menu, select Actions > Configure.
menu item.
The Host Context Configuration window appears.

Table 9-4 Host Context Parameters
Disk Usage Sentinal Settings
Warning Threshold When the configured threshold of disk usage is exceeded,
an e-mail is sent to the administrator indicating the current
state of disk usage. The default is 0.75, therefore, when disk
usage exceeds 75%, an e-mail is sent indicating that disk
usage is exceeding 75%. If disk usage continues to increase
above the configured threshold, a new e-mail is sent after
every 5% increase in usage. By default, Host Context
monitors the following partitions for disk usage:
• /
• /store
• /store/tmp
Specify the desired warning threshold for disk usage.
Note: Notification e-mails are sent to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
more information, see Chapter 5 Setting Up QRadar.

Table 9-4 Host Context Parameters (continued)
Recovery Threshold Once the system has exceeded the shutdown threshold,
disk usage must fall below the recovery threshold before
QRadar processes are restarted. The default is 0.90,
therefore, processes will not be restarted until the disk usage
is below 90%.
Specify the recovery threshold.
Shutdown Threshold When the system exceeds the shutdown threshold, all
QRadar processes are stopped. An e-mail is sent to the
administrator indicating the current state of the system. The
default is 0.95, therefore, when disk usage exceeds 95%, all
QRadar processes stop.
Specify the shutdown threshold.
Inspection Interval Specify the frequency, in milliseconds, that you want to
determine disk usage.
SAR Sentinel Settings
inspect SAR output. The default is 300,000 ms.
Alert Interval Specify the frequency, in milliseconds, that you want to be
notified that the thresholds have been exceeded. The default
is 7,200,000 ms.
Time Resolution Specify the time, in seconds, that you want the SAR
inspection to be engaged. The default is 60 seconds.
Log Monitor Settings
monitor the log files. The default is 60,000 ms.
Monitored SYSLOG Specify a filename for the SYSLOG file. The default is
File Name /var/log/qradar.error.
Alert Size Specify the maximum number of lines you want to monitor
from the log file. The default is 1000.
Step 6 Click Save.


Configuring an The accumulator component assists with data collection and anomaly detection for
Accumulator the Event Processor on a managed host. The accumulator component replaces
several components in previous versions of QRadar and is responsible for
receiving streams of flows and events from the local event processor, writing
database data, and contains the anomaly detection engine (ADE).
To configure an accumulator:
Step 2 Select the managed host you want to configure.
Step 3 Select the accumulator component.
menu item.
The Accumulator Configuration window appears.
Table 9-5 Accumulator Parameters
Central Accumulator Informs you if the current component is a central
accumulator. A central accumulator will only exist on a
Console system.
• True - Indicates that the component is a central
accumulator on the Console and will listen for any TCP
data from non-central accumulators.
• False - Indicates that the component is not a central
accumulator, but deployed on the event processor and
forwards data to a central accumulator on the Console.

Table 9-5 Accumulator Parameters (continued)
Anomaly Detection Specify the address and port of the Anomaly Detection
Engine Engine. The Anomaly Detection Engine is responsible for
analyzing network data and forwarding the data to the rule
system for resolution.
On the Console, the connection is shown as
<Console>:7803.
If the accumulator is not the central accumulator, the
connection is shown as <non-Console IP Address>:7803.
Streamer Accumulator Specifies the listen port of the accumulator responsible for
Listen Port receiving streams of flows from the event processor.
The default value is port 7802.
Alerts DSM Address Specifies the DSM address for forwarding alerts from the
accumulator in the format of <DSM_IP address>:<DSM port
number>.
Step 5 Click Save.

Configuring This section provides information on configuring QRadar components and

QRadar includes:
Components • Configuring a QFlow Collector
• Configuring an Event Collector
• Configuring an Event Processor
• Configuring the Magistrate
• Configuring an Off-site Source
• Configuring an Off-site Target
Configuring a QFlow The QFlow Collector collects data from devices and various live and recorded
Collector feeds, such as network taps, span/mirror ports, NetFlow, and QRadar flow logs.
The QFlow Collector then groups related individual packets into a flow. A flow
starts when the QFlow Collector detects the first packet with a unique source IP
address, destination IP address, source port, and destination port as well as other
specific protocol options, which may determine the start of a communication. Each
additional packet is evaluated and counts of bytes and packets are added to the
statistical counters in the flow record. At the end of an interval, a status record of
the flow is sent to the Event Collector and statistical counters for the flow are reset.
A flow ends when no activity for the flow is seen within the configured period of
time.
Flow reporting generates records of all the active or expired flows during a
specified period of time. QRadar defines these flows as a communication session

between two pairs of unique IP address/ports that use the same protocol. If the
protocol does not support port-based connections, QRadar combines all packets
between the two hosts into a single flow record. However, a QFlow Collector does
not record flows until a connection is made to another QRadar component and
data is retrieved.
To configure a QFlow Collector:

Step 1 In either the Event View or System View, select the QFlow Collector you want to
configure.
menu items.
The QFlow Configuration window appears.
Table 9-6 QFlow Collector Parameters
Event Collector If the host has an Event Collector the connection is
Connections shown as <Host IP Address>:<Port>.
If the QFlow Connector is not connected to an Event
Collector, the value is empty.
QFlow Collector ID In larger installations, several QFlow Collectors can be
installed throughout the deployment. As several QFlow
Collectors can function simultaneously, you must
provide each QFlow Collector a unique name. You can
use that name to determine where data is originating
from in the Collector View, if configured.
Specify the QFlow Collector ID.

Table 9-6 QFlow Collector Parameters (continued)
Maximum Content Capture QFlow Collectors capture a configurable number of
bytes at the start of each flow. Transferring large
amounts of content across the network may affect
network and QRadar performance. On managed hosts
where the QFlow Collectors are located on close
high-speed links, you can increase the content capture
length.
Specify the capture length, in bytes, to attach to a flow.
The range is from 0 to 65535. A value of 0 disables
content capture. The default is 64 bytes.
Note: Increasing content capture length will increase
disk storage requirements for recommended disk
allotment.
Alias Autodetection Specify one of the following options:
• Yes - Allows the QFlow Collector to detect external
flow source aliases. When a QFlow Collector
receives traffic from a device with an IP address but
no current alias, the QFlow Collector attempts a
reverse DNS lookup to determine the hostname of
the device. If the lookup is successful, the QFlow
Collector adds this information to the database and
reports this information to all QFlow Collector in your
deployment.
• No - Disables the QFlow Collector from detecting
external flow sources aliases.
For more information on flow sources, see Chapter 9
Managing Flow Sources.
Step 4 In the toolbar, click Advanced to display the advanced parameters.

The advanced configuration parameters appear.

Step 5 Enter values for the parameters, as necessary:
Table 9-7 QFlow Collector Parameters
Event Collector Specifies the hostname and port of the Event Collector
Connections connected to the QFlow Collector. If the host has an Event
Collector the connection is shown as <Host IP
Address>:<Port>.
If the QFlow Collector is not connected to an Event
Collector, the parameter is empty.
Flow Routing Mode Specify one of the following options:
• 0 = Distributor Mode - Allows QFlow Collector to group
flows that have similar properties.
• 1 = Flow Mode - Disables the bundling of flows.
Maximum Data Specify the amount of bytes/packets you want the QFlow
Capture/Packet Collector to capture.
Time Synchronization Specify the IP address or hostname of the time server.
Server IP Address
Time Synchronization Specify the length of time you want the managed host to
Timeout Period continue attempting to synchronize the time before timing
out. The default is 15 minutes.

Endace DAG Interface Specify the Endace Network Monitoring Interface card
Card Configuration parameters. For more information, see the Qmmunity web
site or contact Q1 Labs Customer Support.
Flow Buffer Size Specify the amount of memory, in MB, that you want to
reserve for flow storage. The default is 400 MB.
Maximum Number of Specify the maximum number of flows you want to send
Flows from the QFlow Collector to an Event Collector.
Remove duplicate flows Enables or disables the ability to remove duplicate flows.
Verify NetFlow Enables or disables the ability to check the incoming
Sequence Numbers NetFlow sequence numbers to ensure that all packets are
present and in the proper order. A notification appears if a
packet is missing or received out-of-order.
External Flow Specify the method you want to use to remove duplicate
De-duplication method external flow sources (de-duplication). Options include:
• Source - Compares originating flow sources. This
method of removing duplicate external flows compares
the IP address of the device that exported the current
external flow record to that of the IP address of the
device that exported the first external record of the
particular flow. If the IP addresses do not match, the
current external flow record is discarded.
• Record - Compares individual external flow records. This
method of removing duplicate external flows logs a list of
every external flow record detected by a particular device
and compares each subsequent record to that list. If the
current record is found in the list, that record is discarded.
Flow Carry-over Specify the number of seconds before the end of an interval
Window that you want one-sided flows to be held over until the next
interval if the flow. This allows time for the inverse side of
the flow to arrive before being reported.

External flow record This parameter is only valid if you configure the External
comparison mask Flow De-duplication method parameter to Record.
Specify the external flow record fields you want to use to
remove duplicate flows. Valid options include: D (Direction),
B (ByteCount), or P (PacketCount). Possible combinations
of the options include:
• DBP - Uses direction, byte count, and packet count when
comparing flow records.
• XBP - Uses byte count and packet count when
comparing flow records.
• DXP - Uses direction and packet count when comparing
flow records.
• DBX - Uses direction and byte count when comparing
flow records.
• DXX - Uses direction when comparing flow records.
• XBX - Uses byte count when comparing records.
• XXP - Uses packet count when comparing records.
Create Superflows Specify one of the following options:
• Yes - Allows the QFlow Collector to create Superflows
from group flows that have similar properties.
• No - Disables the creation of Superflows
Type A Superflows Specify the threshold for type A superflows, which is one
host sending data to many hosts. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source hosts, destination network, destination
port (TCP and UDP flows only), TCP flags (TCP flows only),
ICMP type, and code (ICMP flows only) but different
destination hosts.
Type B Superflows Specify the threshold for type B superflows, which is many
hosts sending data to one host. A unidirectional flow that is
an aggregate of all flows that have the same protocol,
source bytes, source packets, destination host, source
network, destination port (TCP and UDP flows only), TCP
flags (TCP flows only), ICMP type, and code (ICMP flows
only), but different source hosts.
Type CSuperflows Specify the threshold for type C superflows, which is one
host sending data to another host. A unidirectional flow that
is an aggregate of all non-ICMP flows that have the same
protocol, source host, destination host, source bytes,
destination bytes, source packets, and destination packets
but different source or destination ports.

Recombine In some networks, traffic is configured to take alternate
Asymmetric Superflows paths for inbound and outbound traffic. This is asymmetric
routing. You can combine flows received from either a single
or multiple QFlow Collectors. However, if you want to
combine flows from multiple QFlow Collectors, you must
configure flow sources in the Asymmetric Flow Source
Interface(s) parameters in the QFlow Collector
configuration.
Choose one of the following options:
• Yes - Asymmetric flows are combined.
• No - Asymmetric flows are not combined.
Ignore Asymmetric Specify whether you want to enable the creation of
Superflows superflows while asymmetric flows are enabled. The default
is Yes, which means superflows are created.
Minimum Buffer Data Specify the minimum amount of data, in bytes, that you want
the Endace Network Monitoring Interface Card to receive
before the captured data is returned to the QFlow Collector
process. For example, if this parameter is 0 and no data is
available, the Endace Network Monitoring Interface Card
allows non-blocking behavior.
Maximum Wait Time Specify the maximum amount of time, in microseconds, that
you want the Endace Network Monitoring Interface Card to
wait for the minimum amount of data, as specified in the
Minimum Buffer Data parameter.
Polling Interval Specify the interval, in microseconds, that you want the
Endace Network Monitoring Interface Card to wait before
checking for additional data. A polling interval avoids
excessive polling traffic to the card and therefore conserves
bandwidth and processing time.
Step 6 Click Save.

The deployment editor appears.
Step 7 Repeat for all QFlow Collectors in your deployment you want to configure.
Configuring an Event The Event Collector collects security events from various types of security devices
Collector in your network.
To configure an Event Collector:

Step 1 From either the Event View or System View, select the Event Collector you want to
configure.
menu items.
The Event Collector Configuration window appears.

Table 9-8 Event Collector Parameters
Destination Event Specify the destination Event Processor for
Processor communications.
Flow Listen Port Specify the listen port for flows.
Event Forwarding Listen Specify the Event Collector event forwarding port.
Port
Flow Forwarding Listen Specify the Event Collector flow forwarding port.
Port

The advanced configuration parameter appear.

Table 9-9 Event Collector Advanced Parameters
Primary Collector Specifies True for an Event Collector located on a Console
system and False for an Event Collector located on a
non-Console system.
Autodetection Enabled Specifies if you want the Event Collector to auto analyze and
accept traffic from previously unknown log sources. The
default is True, which means that the Event Collector detects
log sources in your network. Also, when set to True, the
appropriate firewall ports are opened to enable auto
detection to receive events. For more information on
configuring log sources, see the Managing Log Sources
Guide.
Flow Deduplication Specify the amount of time in seconds flows are buffered
Filter before they are forwarded.
Asymmetric Flow Filter Specify the amount of time in seconds asymmetric flows will
be buffered before they are forwarded.
Step 6 Click Save.

Step 7 Repeat for all Event Collectors in your deployment you want to configure.
Configuring an Event The Event Processor processes flows collected from one or more Event
Processor Collector(s).
To configure an Event Processor:

Step 1 From either the Event View or System View, select the Event Processor you want
to configure.
menu items.
The Event Processor Configuration window appears.

Table 9-10 Event Processor Parameters
Event Collector Specify the port that the Event Processor monitors for
Connections Listen Port incoming Event Collector connections. The default value is
port 32005.
Event Processor Specify the port that the Event Processor monitors for
Connections Listen Port incoming Event Processor connections. The default value
is port 32007.


Table 9-11 Event Processor Advanced Parameters
Test Rules Specify if you want a non-Console Event Processor to
test rules against the local rule set of the Event
Processor, or have the option to share their rule set
globally.
• Locally - Rules are tested on the Event Processor
and not shared with the system. Testing rules locally
is the default for Console Event Processors.
• Globally - Allows individual rules for every Event
Processor to be shared and tested system wide.
Each rule in Offenses > Rules can be toggled to
Global for detection by any Event Processor on the
system.
Note: If a rule is configured to test locally, the Globally
option does not override the rule’s setting.
For example, you create rule to alert you if there has
been 5 failed login attempts within 5 minutes. The
default for the rule is set to local. When the Event
Processor containing the local rule observes 5 failed
login attempts the rule will execute. When the rule in the
example above is set to Global, if 5 failed login attempts
within 5 minutes is seen on any Event Processor the rule
will execute. This means that when rules are shared
globally, one failed login attempt can come from five
separate event processors and trigger the rule. Testing
rules globally is the default for non-Console Event
Processors, with each rule on the Event Processor set
to test locally.
Note: The test rules drop-down list box in the
Deployment Editor is available for non-Console Event
Processors only.
Overflow Event Routing Specify the events per second threshold that the Event
Threshold Processor can manage. Events over this threshold are
placed in the cache.
Overflow Flow Routing Specify the flows per minute threshold that the Event
Threshold Processor can manage. Flows over this threshold are
placed in the cache.
Events database path Specify the location you want to store events. The
default is /store/ariel/events.
Payloads database length Specify the location you want to store payload
information. The default is /store/ariel/payloads.
Step 6 Click Save.

Step 7 Repeat for all Event Processors in your deployment you want to configure.

Configuring the The Magistrate component provides the core processing components of the SIEM
Magistrate option.
To configure the Magistrate component:

Step 1 From either the Event View or System View, select the Magistrate component you
want to configure.
menu items.
Table 9-12 Magistrate Parameters
Overflow Routing Specify the events per second threshold that the
Threshold Magistrate can manage events. Events over this
threshold are placed in the cache. The default is 20,000.
Step 5 Click Save.

Configuring an An off-site source component sends security events or flows to an Event Collector.
Off-site Source The device that is to receive the source must be configured to receive the
appropriate data type.
Note: When configuring off-site source and target components, it is recommend

that you deploy the Console with the off-site source first and the Console with the
off-site target second to prevent connection errors.
To configure an off-site source component:

Step 1 From either the Event View or System View, select the off-site source you want to
configure.

menu items.
The off-site source Configuration window appears.
Table 9-13 Off-site Source Parameters
Receive Events Specifies the system is configured to receive events from
the off-site source host.
Receive Flows Specifies the system is configured to receive flows from the
off-site source host.
Step 4 Click Save.

Step 5 Repeat for all off-site sources in your deployment you want to configure.
Configuring an An off-site target component receives security event or flow data from an Event
Off-site Target Collector. The target must be configured with appropriate permissions receive the
event or flow data.
Note: When configuring off-site source and target components, it is recommend

that you deploy the Console with the off-site source first and the Console with the
off-site target second to prevent connection errors.
To configure an off-site target component:

Step 1 From either the Event View or System View, select the off-site target you want to
configure.
menu items.
The off-site target Configuration window appears.

Table 9-14 Off-site Target Parameters
Event Collector Listen Specifies the Event Collector listen port for receiving event
Port data. The default listen port for events is 32004.
Note: If the off-site target system has been upgraded from
a previous QRadar software version, you must change the
port from the default (32004) to the port specified in the
Event Forwarding Listen Port parameter for the off-site
target. For more information about how to access the
Event Forwarding Listen port on the off-site target, see
Configuring an Event Collector.
Flow Collector Listen Specifies the Event Collector listen port for receiving flow
Port data. The default listen port for flows is 32000.
Step 4 Click Save.

This chapter provides information on managing flows sources in your deployment

including:
• About Flow Sources
• Managing Flow Sources
• Managing Flow Source Aliases
About Flow QRadar allows you to integrate internal and external flow sources:
Sources • Internal flow sources - Includes any additional hardware installed on a
managed host, such as a Network Interface Card (NIC). Depending on the
hardware configuration of your managed host, the internal flow sources may
include:
- Network interface card
- Endace Network Monitoring Interface Card
- Napatech Interface
• External flow sources - Includes any external flow source that sends flows to
the QFlow Collector. If your QFlow Collector receives multiple flow sources, you
can assign each source a distinct name, providing the ability to distinguish one
source of external flow data from another when received on the same QFlow
Collector. To assign names to multiple flow sources, you must configure the
External Flow Source Interface Name parameter in the QFlow Collector
component. External flow sources may include:
- NetFlow
- sFlow
- J-Flow
- Packeteer
- Flowlog File
QRadar can forward external flows source data using a spoofing or
non-spoofing method:
- Spoofing - Resends the inbound data received from flow sources to a
secondary destination. To ensure flow source data is sent to a secondary

destination, configure the Monitoring Interface in the Flow Source

configuration (see Adding a Flow Source) to the port on which data is
being received (management port). When you use a specific interface, the
QFlow Collector uses a promiscuous mode capture to obtain flow source
data, rather than the default UDP listening port on port 2055. This allows the
QFlow Collector to capture flow source packets and forward the data.
- Non-Spoofing - For the non-spoofing method, configure the Monitoring
Interface in the Flow Source Configuration (see Adding a Flow Source) as
Any. The QFlow Collector opens the listening port, which is the port
configured as the Monitoring Port to accept flow source data. The data is
processed and forwarded to another flow source destination. The source IP
address of the flow source data becomes the IP address of the QRadar
system, not the original router that sent the data.
NetFlow A proprietary accounting technology developed by Cisco Systems® Inc. that

monitors traffic flows through a switch or router, interprets the client, server,
protocol, and port used, counts the number of bytes and packets, and sends that
data to a NetFlow collector. The process of sending data from NetFlow is often
referred to as a NetFlow Data Export (NDE). You can configure QRadar to accept
NDE's and thus become a NetFlow collector. QRadar supports NetFlow versions
1, 5, 7, and 9. For more information on NetFlow, see www.cisco.com.
While NetFlow expands the amount of the network that is monitored, NetFlow uses
a connection-less protocol (UDP) to deliver NDEs. Once an NDE is sent from a
switch or router, the NetFlow record is purged. As UDP is used to send this
information and does not guarantee the delivery of data, NetFlow records
inaccurate recording and reduced alerting capabilities. This can result in
inaccurate presentations of both traffic volumes and bi-directional flows.
Once you configure an external flow source for NetFlow, you must:
• Make sure the appropriate firewall rules are configured. Note that if you change
your External Flow Source Monitoring Port parameter in the QFlow Collector
configuration, you must also update your firewall access configuration.
• Make sure the appropriate ports are configured for your QFlow Collector.
If you are using NetFlow version 9, make sure the NetFlow template from the
NetFlow source includes the following fields:
• FIRST_SWITCHED
• LAST_SWITCHED
• PROTOCOL
• IPV4_SRC_ADDR
• IPV4_DST_ADDR
• L4_SRC_PORT
• L4_DST_PORT

About Flow Sources 141
• IN_BYTES and/or OUT_BYTES

• IN_PKTS and/or OUT_BYTES
• TCP_FLAGS (TCP flows only)
sFlow A multi-vendor and end-user standard for sampling technology that provides
continuous monitoring of application level traffic flows on all interfaces
simultaneously. sFlow combines interface counters and flow samples into sFlow
datagrams that are sent across the network to an sFlow collector. QRadar
supports sFlow versions 2, 4, and 5. Note that sFlow traffic is based on sampled
data and, therefore, may not represent all network traffic. For more information on
sFlow, see www.sflow.org.
sFlow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the sFlow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, sFlow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
Once you configure an external flow source for sFlow, you must:
• Make sure the appropriate firewall rules are configured.
J-Flow A proprietary accounting technology used by Juniper® Networks that allows you to
collect IP traffic flow statistics. J-Flow enables you to export data to a UDP port on
a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or
interface to collect network statistics for specific locations on your network. Note
that J-Flow traffic is based on sampled data and, therefore, may not represent all
network traffic. For more information on J-Flow, see www.juniper.net.
J-Flow uses a connection-less protocol (UDP). Once data is sent from a switch or
router, the J-Flow record is purged. As UDP is used to send this information and
does not guarantee the delivery of data, J-Flow records inaccurate recording and
reduced alerting capabilities. This can result in inaccurate presentations of both
traffic volumes and bi-directional flows.
Once you configure an external flow source for J-Flow, you must:
Packeteer Packeteer devices collect, aggregate, and store network performance data. Once
you configure an external flow source for Packeteer, you can send flow information
from a Packeteer device to QRadar.
Packeteer uses a connection-less protocol (UDP). Once data is sent from a switch
or router, the Packeteer record is purged. As UDP is used to send this information
and does not guarantee the delivery of data, Packeteer records inaccurate

recording and reduced alerting capabilities. This can result in inaccurate

presentations of both traffic volumes and bi-directional flows.
To configure Packeteer as an external flow source, you must:

• Make sure that you configure Packeteer devices to export flow detail records
and configure the QFlow Collector as the destination for the data export.
• Make sure the class IDs from the Packeteer devices can automatically be
detected by the QFlow Collector.
• For additional information on mapping Packeteer applications into QRadar, see
the Mapping Packeteer Applications into QRadar Technical Note.
Flowlog File A file generated from the QRadar flow logs.
Napatech Interface If you have a Napatech Network Adapter installed on your QRadar system, the
Naptatech Interface option appears as a configurable packet-based flow source in
the QRadar interface. The Napatech Network Adapter provides next-generation
programmable and intelligent network adapter for your network. For more
information regarding Napatech Network Adapters, see your Napatech vendor
documentation.
Managing Flow For QRadar appliances, QRadar automatically adds default flow sources for the
Sources physical ports on the appliance. Also, QRadar also includes a default NetFlow flow
source. If QRadar is installed on your own hardware, QRadar attempts to
automatically detect and add default flow sources for any physical devices (such
as a Network Interface Card (NIC)). Also, once you assign a QFlow Collector,
QRadar includes a default NetFlow flow source.

• Adding a Flow Source
• Editing a Flow Source
• Enabling/Disabling a Flow Source
• Deleting a Flow Source
Adding a Flow To add a flow source:

Source
Step 2 In the navigation menu, click Data Sources.
The Data Sources panel appears.

Step 3 In the navigation menu, click Flows.

The Flows panel appears.
Step 4 Click the Flow Sources icon.
The Flow Source window appears.
Step 5 Click Add.

The Add Flow Source window appears.
Table 10-1 Add Flow Source Window Parameters
Build from existing flow Select the check box if you want to create this flow source
source using an existing flow source as a template. Once the
check box is selected, use the drop-down list box to select
the desired flow source and click Use as Template.
Flow Source Name Specify the name of the flow source. We recommend that
for an external flow source that is also a physical device,
use the device name as the flow source name. If the flow
source is not a physical device, make sure you use a
meaningful name. For example, if you want to use
NetFlow traffic, enter nf1.
Target Collector Using the drop-down list box, select the Event Collector
you want to use for this flow source.

Table 10-1 Add Flow Source Window Parameters (continued)
Flow Source Type Using the drop-down list box, select the flow source type
for this flow source. The options are:
• Flowlog File
• JFlow
• Netflow v.1, v5, v7, or v9
• Network Interface
• Packeteer FDR
• SFlow v.2, v.4, or v.5
• Pre-7.0 Off-site Flow Source
• Napatech, if applicable
• Endace, if applicable
Note: For more information on adding a pre-7.0 off-site
flow source running QRadar 6.3.1 or earlier, see
Appendix F Configuring Flow Forwarding From
Pre-7.0 Off-Site Flow Sources.
Enable Asymmetric Flows In some networks, traffic is configured to take alternate
paths for inbound and outbound traffic. This is asymmetric
routing. Select the check box is you want to enable
asymmetric flows for this flow source.
Source File Path Specify the source file path for the flowlog file.

a If you select Flowlog File as the Flow Source Type, configure the Source File
Path, which is the source path location for the flow log file.
b If you select JFlow, Netflow, Packeteer FDR, or sFlow as the Flow Source
Type, configure the following:
Table 10-2 External Flow parameters
Monitoring Interface Using the drop-down list box, select the monitoring interface
you want to use for this flow source.
Monitoring Port Specify the port you want this flow source to use.
For the first NetFlow flow source configured in your network,
the default port is 2055. For each additional NetFlow flow
source, the default port number increments by 1. For
example, the default NetFlow flow source for the second
NetFlow flow source is 2056.

Table 10-2 External Flow parameters (continued)
Enable Flow Select the check box to enable flow forwarding for this flow
Forwarding source. Once the check box is selected, the following
options appear:
• Forwarding Port - Specify the port you want to forward
flows. The default is 1025.
• Forwarding Destinations - Specify the destinations you
want to forward flows. You can add or remove addresses
from the list using the Add and Remove buttons.
c If you select Pre-7.0 Off-site Flow Source as the Flow Source Type, configure
the Flow Source Address. For more information on adding a pre-7.0 off-site
flow source, see Appendix F Configuring Flow Forwarding From Pre-7.0
Off-Site Flow Sources.
d If you select Napatech Interface as the Flow Source Type, select the Flow
Interface you want to assign to this flow source.
Note: The Napatech Interface option only appears if you have a Napatech
Network Adapter installed in your system.
e If you select Network Interface as the Flow Source Type, configure the
following:
Table 10-3 Network Interface Parameters
Flow Interface Using the drop-down list box, select the log source you want
to assign to this flow source.
Note: You can only configure one log source per Ethernet
Interface. Also, you cannot send different flow types to the
same port.
Filter String Specify the filter string for this flow source.
Step 8 Click Save.

Editing a Flow To edit a flow source:

Source
The Data Source interface appears.


Step 5 Select the flow source you want to edit.

Step 6 Click Edit.
The Edit Flow Source window appears.
Step 7 Edit values, as necessary. For more information on values for flow source types,
see Adding a Flow Source.
Step 8 Click Save.
Enabling/Disabling a To enable or disable a flow source:

Flow Source

Step 5 Select the flow source you want to enable or disable.

Step 6 Click Enable/Disable.
The Enabled column indicates if the flow source is enabled or disabled. If the flow
source was previously disabled, the column now indicates True to indicate the flow
source is now enabled. If the flow source was previously enabled, the column now
indicates False to indicate the flow source is now disabled.
Deleting a Flow To delete a flow source:

Source
Step 5 Select the flow source you want to delete.
Step 7 Click Ok.
Managing Flow You can configure a virtual name (or alias) for flow sources. You can identify
Source Aliases multiple sources being sent to the same QFlow Collector, using the source IP
address and virtual name. An alias allows a QFlow Collector to uniquely identify
and process data sources being sent to the same port.
When a QFlow Collector receives traffic from a device with an IP address but no
current alias, the QFlow Collector attempts a reverse DNS lookup to determine the
hostname of the device. If the lookup is successful, the QFlow Collector adds this
information to the database and is reported to all QFlow Collectors in your
deployment.

Note: Using the deployment editor, you can configure the QFlow Collector to
automatically detect flow source aliases. For more information, see Chapter 8
Managing Flow Sources.

• Adding a Flow Source Alias
• Editing a Flow Source Alias
• Deleting a Flow Source Alias
Adding a Flow To add a flow source alias:

Source Alias
Step 4 Click the Flow Source Aliases icon.
The Flow Source Alias window appears.
Step 5 Click Add.
The Flow Source Alias Management window appears.

• IP - Specify the IP address of the flow source alias.
• Name - Specify the name of the flow source alias.
Step 7 Click Save.
Editing a Flow To edit a flow source alias:

Source Alias


The Flow Source Alias window appears.
Step 5 Select the flow source alias you want to edit.
Step 6 Click Edit.
The Flow Source Alias Management window appears.
Step 7 Update values, as necessary.
Step 8 Click Save.
Deleting a Flow To delete a flow source alias:

Source Alias
The Flow Source Aliases window appears.
Step 5 Select the flow source alias you want to delete.
Step 7 Click Ok.

10 CONFIGURING REMOTE NETWORKS
AND SERVICES
In the Admin interface, you can group remote networks and services for use in the
custom rules engine, flow and event searches, and in QRadar Risk Manager (if
available). Remote network and service groups enable you to represents traffic
activity on your network for a specific profile. All remote network and service
groups have group levels and leaf object levels.
This chapter includes:

• Managing Remote Networks
• Managing Remote Services
• Using Best Practices
You can edit remote network and service groups by adding objects to existing
groups or changing pre-existing properties to suit your environment.
Caution: If you move an existing object to another group (select a new group and
click Add Group), the object name moves from the existing group to the newly
selected group; however, when the configuration changes are deployed, the object
data stored in the database is lost and the object ceases to function. We
recommend that you create a new view and recreate the object (that exists with
another group).
Managing Remote Remote networks groups display user traffic originating from named remote
Networks networks. Once you create remote network groups, you can aggregate flow and
event search results on remote network groups, and create rules that test for
activity on remote network groups. This section provides information on managing
the remote networks including:
• Default Remote Network Groups
• Adding a Remote Networks Object
• Editing a Remote Networks Object

Default Remote QRadar includes the following default remote network groups:
Network Groups
Table 11-1 Default Remote Network Groups
BOT Specifies traffic originating from BOT applications.
Bogon Specifies traffic originating from un-assigned IP addresses.
Note: Bogon reference:
http://www.team-cymru.org/Services/Bogons/
HostileNets Specifies traffic originating from known hostile networks.
HostileNets has a set of 20 (rank 1 to 20 inclusive) configurable
CIDR ranges.
Neighbours This group is blank by default. You must configure this group to
classify traffic originating from neighboring networks.
Smurfs Specifies traffic originating from Smurf attacks. A Smurf attack is
a type of denial-of-service attack that floods a destination system
with spoofed broadcast ping messages.
Superflows This group is non-configurable. A superflow is a flow that is an
aggregate of a number of flows that have a similar predetermined
set of elements.
TrustedNetworks This group is blank by default. You must configure this group to
classify traffic originating from trusted networks.
Watchlists This group is blank by default. You can configure this group to
classify traffic originating from networks you want monitor.
Note: Groups and objects that include superflows are for informational purposes
only and cannot be edited. Groups and objects that include bogons are configured
by the Automatic Update function.
Adding a Remote To add a remote network object:

Networks Object
Step 2 In the navigation menu, click Remote Networks and Services Configuration.
The Remote Networks and Services Configuration panel appears.
Step 3 Click the Remote Networks icon.
Step 4 Click Add.
The Add New Object window appears.

Managing Remote Networks 153
Table 11-2 Remote Networks - Add New Object Parameters
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
IP/CIDR(s) Specify the IP address or CIDR range for the object. Click Add.
Description Specify a description for the object.
Database Length Using the drop-down list box, select the database length.
Step 6 Click Save.

Step 8 Close the Remote Networks View window.
All changes are deployed.
Editing a Remote To edit an existing Remote Networks object:

Networks Object


Step 3 Click the Remote Networks icon.
The Manage Group window appears.
Table 11-3 Manage Group
Name Specifies the name assigned to the view.
Actions Specifies the action available for each group including:
Open view properties window.
Step 4 Click the group you want to display.

Name Specifies the name assigned to the object.
Value(s) Specifies IP address(es) or CIDR ranges assigned to this object.
Actions Specifies the actions available for each object including:
Edit object properties.
Delete object.
Step 5 Click the edit icon.

The Properties window appears.

Step 6 Edit values as necessary. See Table 11-2.

Step 7 Click Save.
Step 9 Close the Remote Networks View window.
Managing Remote Remote services groups organize traffic originating from user-defined network
Services ranges or, if desired, the Q1 Labs automatic update server. Once you create
remote service groups, you can aggregate flow and event search results, and
create rules that test for activity on remote service groups. This section provides
information on managing the Remote Services groups including:
• Default Remote Service Groups
• Adding a Remote Services Object
• Editing a Remote Services Object
Default Remote QRadar includes the following default remote service groups:
Service Groups
Table 11-5 Default Remote Service Groups
IRC_Servers Specifies traffic originating from addresses commonly known as
chat servers.

Table 11-5 Default Remote Service Groups (continued)
Online_Services Specifies traffic originating from addresses commonly known
online services that may involve data loss.
Porn Specifies traffic originating from addresses commonly known to
contain explicit pornographic material.
Proxies Specifies traffic originating from commonly known open proxy
servers.
Reserved_IP_ Specifies traffic originating from reserved IP address ranges.
Ranges
Spam Specifies traffic originating from addresses commonly known to
produce SPAM or unwanted e-mail.
Spy_Adware Specifies traffic originating from addresses commonly known to
contain spyware or adware.
Superflows Specifies traffic originating from addresses commonly known to
produce superflows.
Warez Specifies traffic originating from addresses commonly known to
contain pirated software.
Adding a Remote To add a Remote Services Object:

Services Object
Step 3 Click the Remote Services icon.
Step 4 Click Add.
The Add New Object window appears.

Table 11-6 Remote Services - Add New Object Parameters
Group Select the group for this object. Using the drop-down list box,
select a group or click Add Group to add a new group.
IP/CIDR(s) Specify the IP address/CIDR range for the object. Click Add.
Database Length Using the drop-down list box, select the database length.
Step 6 Click Save.

Step 8 Close the Applications View window.
Editing a Remote To edit an existing Remote Services object:

Services Object
Step 3 Click the Remote Services icon.

Name Specifies the name assigned to the group.
Actions Specifies the action available for each group:
Open view properties window.
Step 4 Click the group you want to display.

Name Specifies the name assigned to the object.
Value Specifies ports assigned to this object.
Actions Specifies the actions available for each object including:
Edit view properties.
Delete object.
Step 5 Click the edit icon.

The Properties window appears.
Step 6 Edit values as necessary. See Table 11-6.

Step 7 Click Save.
Step 9 Close the Remote Services View window.

Using Best Practices 159

Using Best Given the complexities and network resources required for QRadar in large
Practices structured networks, we recommend the following best practices:
• Bundle objects and use the Network Activity and Log Activity interfaces to
analyze your network data. Fewer objects create less I/O to your disk.
• Typically, no more than 200 objects per group (for standard system
requirements). More objects may impact your processing power when
investigating your traffic.

From the Log Activity, Network Activity, and Offenses interfaces, you can configure
rules or building blocks. Rules match events, flows, or offenses by performing a
series of tests. If all the conditions of a test are true, the rule generates a response.
The two rule categories are:

• Custom Rules - Custom rules perform tests on events, flows, and offenses as
a means to detect unusual activity in your network.
• Anomaly Detection Rules - Anomaly detection rules perform tests on the
results of saved flow or event searches as a means to detect when unusual
traffic patterns occur in your network.
Possible responses to a rule include:

• Create an offense.
• Generate a response to an external system (syslog or SNMP).
• Send an e-mail.
• Generate system notifications using the Dashboard
The tests in each rule can also reference other building blocks and rules. You do
not need to create rules in any specific order since the system checks for
dependencies each time a new rule is added, edited, or deleted. If a rule that is
referenced by another rule is deleted or disabled, a warning appears and no action
is taken.
Each rule may contain the following components:

• Functions - With functions, you can use building blocks and other rules to
create a multi-event, multi-flow, or multi-offense function. You can also OR rules
together. For example, if you want to OR event rules together, you can use the
when an event matches any|all of the following rules function.
• Building blocks - A building block is a rule without a response and is used as a
common variable in multiple rules or to build complex rules or logic that you
want to use in other rules. You can save a group of tests as building blocks for
use with other functions. Building blocks allow you to re-use specific rule tests
in other rules. For example, you can save a building block that includes the IP
addresses of all mail servers in your network and then use that building block to
exclude those hosts from another rule. The default building blocks are provided

as guidelines, which should be reviewed and edited based on the needs of your
network.
• Tests - Property of an event, flow, or offense, such as source IP address,
severity of event, or rate analysis.
A user with non-administrative access can create rules for areas of the network
that they have access. You must have the appropriate role permissions to manage
rules. For more information about role permissions, see Chapter 2 Managing
Users.

• Viewing Rules
• Creating a Custom Rule
• Creating an Anomaly Detection Rule
• Copying a Rule
• Managing Rules
• Grouping Rules
• Editing Building Blocks
Viewing Rules To view deployed rules, rule type, and status:

Step 1 Select the Offenses tab.
The Offenses interface window appears.
Step 2 In the navigation menu, click Rules.
The rules interface appears.
Step 3 In the Display drop-down list box, select Rules.
The list of deployed rules appear.
For more information on the default rules, Appendix B Enterprise Template.

The Rules window provides the following information for each rule:

Viewing Rules 163
Table 12-1 Rules Window Parameters
Rule Name Specifies the name of the rule.
Group Specifies the group to which this rule is assigned. For more
information about groups, see Grouping Rules.
Rule Category Specifies the rule category for the rule. Options are:
• Custom Rule
• Anomaly Detection Rule
Rule Type Specifies the rule type. Custom rule types include:
• Event
• Flow
• Common
• Offense
Anomaly detection rule types include:
• Anomaly
• Threshold
• Behavioral
Enabled Specifies whether the rule is enabled or disabled. For more
information on enabling and disabling rules, see
Enabling/Disabling Rules
Response Specifies the rule response, if any. For more information about
rule responses, see Table 12-3.
Event /Flow Count Specifies the number of events or flows associated with this rule.
Offense Count Specifies the number of offenses generated by this rule.
Origin Specifies whether this rule is a default rule (System) or a custom
rule (User).
Creation Date Specifies the date and time this rule was created.
Modification Date Specifies the date and time this rule was modified.
The Rules interface toolbar provides the following functions:

Table 12-2 Rules Interface Toolbar
Button Function
Display Using the drop-down list box, select whether you want to
display rules or building blocks in the rules list.
Group Using the drop-down list box, select which rule group you
want to display in the rules list.
Allows you to manage rule groups. For more information on
grouping rules, see Grouping Rules.

Table 12-2 Rules Interface Toolbar (continued)
Button Function
Allows you to perform the following actions:
• New Event Rule - Allows you to create a new event rule.
See Creating a Custom Rule.
• New Flow Rule - Allows you to create a new flow rule.
See Creating a Custom Rule.
• New Common Rule - Allows you to create a new common
rule. See Creating a Custom Rule.
• New Offense Rule - Allows you to create a new offense
rule. See Creating a Custom Rule.
• Enable/Disable - Allows you to enable or disable selected
rules. See Enabling/Disabling Rules.
• Duplicate - Allows you to copy a selected rule. See
Copying a Rule.
• Edit - Allows you to edit a selected rule. See Editing a
Rule.
• Delete - Allows you to delete a selected rule. See
Deleting a Rule.
• Assign Groups - Allows you to assign selected rules to
rule groups. See Assigning an Item to a Group.
Revert Rule Allows you to revert a modified system rule to the default
value. Once you click Revert Rule, a confirmation window
appears. When you revert a rule, any previous modifications
are permanently removed.
Note: If you want to maintain a version of your modified rule,
we recommend you use the Duplicate function. Duplicate the
rule, and then use the Revert Rule function on the modified
rule.
Step 4 Select the rule you want to view.

If you selected a rule that specifies Custom Rule as the rule category, the Custom
Rules Wizard appears. If you selected a rule that specifies Anomaly Detection
Rule as the rule category, the Anomaly Detection Wizard appears. In the Rule and
Notes fields, descriptive information appears.

Creating a Custom Custom rules include the following rule types:

Rule • Event Rule - An event rule performs tests on events as they are processed in
real-time by the Event Processor. You can create an event rule to detect a
single event (within certain properties) or event sequences. For example, if you
want to monitor your network for invalid login attempts, access multiple hosts,
or a reconnaissance event followed by an exploit, you can create an event rule.
It is common for event rules to create offenses as a response.
• Flow Rule - A flow rule performs tests on flows as they are processed in
real-time by the QFlow Collector. You can create a flow rule to detect a single
flow (within certain properties) or flow sequences. It is common for flow rules to
create offenses as a response.
• Common Rule - A common rule performs tests on fields that are common to
both event and flow records. For example, you can create a common rule to
detect events and flows that have a specific source IP address. It is common for
common rules to create offenses as a response.
• Offense Rule - An offense rule processes offenses only when changes are
made to the offense, such as, when new events are added or the system
scheduled the offense for reassessment. It is common for offense rules to email
a notification as a response.
To create a new rule:

The rules window appears.
Step 3 On the rules window toolbar, choose one of the following options:
a Using the Actions drop-down list box, select New Event Rule to configure a
rule for events.
b Using the Actions drop-down list box, click New Flow Rule to configure a rule
for flows.

c Using the Actions drop-down list box, click New Common Rule to configure a
rule for events and flows.
d Using the Actions drop-down list box, click New Offense Rule to configure a
rule for offenses.
The Custom Rule wizard appears.
Note: If you do not want to view the Welcome to the Custom Rules Wizard window
again, select the Skip this page when running the rules wizard check box.

The Choose which type of rule you wish to apply window appears. The default is
the rule type you selected in the Offenses interface.

Step 5 If required, select the rule type you want to apply to the rule. Click Next.
The Rules Test Stack Editor window appears.

Step 6 To add a test to a rule:

a In the Test Group drop-down list box, select the type of test you want to apply to
this rule.
The resulting list of tests appear. For information on tests, see Appendix C
Rule Tests.
b For each test you want to add to the rule, select the + sign beside the test.
The selected test(s) appear in the Rule field.
c For each test added to the Rule field that you want to identify as an excluded
test, click and at the beginning of the test.
The and appears as and not.
d For each test added to the Rule field, you must customize the variables of the
test. Click the underlined configurable parameter to configure. See Appendix C
Rule Tests.
Step 7 In the enter rule name here field, enter a name you want to assign to this rule.
Step 8 To export the configured rule as a building block to use with other rules:
a Click Export as Building Block.
The Save Building Block window appears.
b Enter the name you want to assign to this building block.
c Click Save.

Step 9 In the groups area, select the check box(es) of the groups to which you want to
assign this rule. For more information on grouping rules, see Grouping Rules.
Step 10 In the Notes field, enter any notes you want to include for this rule. Click Next.
The Rule Responses window appears, which allows you to configure the action
QRadar takes when the event or flow sequence is detected.
a If you are configuring an Event Rule, Flow Rule, or Common Rule:
Table 12-3 Event/Flow/Common Rule Response Window Parameters
Rule Action
Severity Select the check box if you want this rule to set or
adjust severity to the configured level. Once
selected, you can configure the desired level.
Credibility Select the check box if you want this rule to set or
adjust credibility to the configured level. Once
Relevance Select the check box if you want this rule to set or
adjust relevance to the configured level. Once
Ensure the detected event is Select the check box if you want the event to be
part of an offense forwarded to the Magistrate component. If no
offense has been created in the Offenses interface,
a new offense is created. If an offense exist, this
event will be added.
If you select the check box, the following options
appear:
• Index offense based on - Using the drop-down
list box, select the parameter on which you want
to index the offense. The default is Source IP.
For event rules, options include destination IP,
destination IP identity, destination IPv6,
destination MAC address, destination port, event
name, hostname, log source, rule, source IP,
source IP identity, source IPv6, source MAC
address, source port, or username.
For flow rules, options include App ID, destination
ASN, destination IP, destination IP Identity,
destination port, event name, rule, source ASN,
source IP, source IP identity, or source Port.
For common rules, options include destination IP,
destination IP identity, destination port, rule,
source IP, source IP identity and source port.

Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)
• Annotate this offense - Select the check box if
you want to add an annotation to this offense. If
you select the check box, enter the annotation
you want to add to the offense.
• Include detected events by <index> from this
point forward, for second(s), in the offense -
Select the check box and configure the number of
seconds you want to include detected events by
<index> in the Offenses interface. This field
indicates the parameter on which the offense is
indexed. The default is Source IP.
Annotate event Select the check box if you want to add an
annotation to this event. If you select the check box,
enter the annotation you want to add to the event.
Drop the detected event Select the check box to force an event, which would
normally be sent to the Magistrate component to be
sent to the Ariel database for reporting or searching.
This event does not appear in the Offenses
interface.
Rule Response
Dispatch New Event Select the check box to dispatch a new event in
addition to the original event or flow, which will be
processed like all other events in the system.
The Dispatch New Event parameters appear when
you select the check box. By default, the check box
is clear.
Event Name Specify the name of the event you want to display in
the Offenses interface.
Event Description Specify a description for the event. The description
appears in the Annotations of the event details.
Offense Naming Select one of the following options:
• This information should contribute to the
name of the associated offense(s) - Select this
option if you want the Event Name information to
contribute to the name of the offense(s).
• This information should set or replace the
option if you want the configured Event Name to
be the name of the offense(s).
• This information should not contribute to the
naming of the associated offense(s) - Select
this option if you do not want the Event Name
information to contribute to the name of the
offense(s). This is the default.

Severity Specify the severity for the event. The range is 0
(lowest) to 10 (highest) and the default is 0. The
Severity appears in the Annotation of the event
details.
Credibility Specify the credibility of the event. The range is 0
(lowest) to 10 (highest) and the default is 10.
Credibility appears in the Annotation of the event
details.
Relevance Specify the relevance of the event. The range is 0
Relevance appears in the Annotation of the event
details.
High-Level Category Specify the high-level event category you want this
rule to use when processing events.
For more information on event categories, see
Appendix E Event Categories.
Low-Level Category Specify the low-level event category you want this
Annotate this offense Select the check box if you want to add an
annotation to this offense. If you select the check
box, enter the annotation you want to add to the
offense.

Ensure the Select the check box if you want, as a result of this
dispatched event is rule, the event forwarded to the Magistrate
part of an offense component. If no offense has been created in the
Offenses interface, a new offense is created. If an
offense exists, this event will be added.
If you select the check box, the following option
appears:
• Index offense based on - Using the drop-down
list box, select the parameter on which you want
to index the offense. The default is Source IP.
For event rules, options include destination IP,
destination IP identity, destination IPv6,
destination MAC address, destination port, event
name, hostname, log source, rule, source IP,
source IP identity, source IPv6, source MAC
address, source port, or username.
For flow rules, options include App ID, destination
ASN, destination IP, destination IP Identity,
destination port, event name, rule, source ASN,
source IP, source IP identity, or source Port.
For common rules, options include destination IP,
destination IP identity, destination port, rule,
source IP, source IP identity and source port.
• Include detected events by <index> from this
point forward, for second(s), in the offense -
Select the check box and configure the number of
seconds you want to include detected events by
<index> in the Offenses interface. This field
indicates the parameter on which the offense is
indexed. The default is Source IP.
Email Select the check box to display the e-mail options.
By default, the check box is clear.
Enter email Specify the e-mail address(es) to send notification if
addresses to notify this rule generates. Separate multiple e-mail
addresses using a comma.

SNMP Trap This parameter only appears when the SNMP
Settings parameters are configured in the QRadar
System Management window. For more information,
see Chapter 5 Setting Up QRadar.
Select the check box to send an SNMP trap.
The SNMP trap output includes system time, the
trap OID, and the notification data, as defined by the
Q1 Labs MIB. For more information on the Q1 Labs
MIB, see Appendix A Q1 Labs MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, QRADAR
Custom Rule Engine Notification - Rule
'SNMPTRAPTest' Fired. 172.16.20.98:0
-> 172.16.60.75:0 1, Event Name: ICMP
Destination Unreachable Communication
with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the event or
flow. By default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:39:01 localhost.localdomain
ECS: Rule 'Name of Rule' Fired:
172.16.60.219:12642 ->
172.16.210.126:6666 6, Event Name:
SCAN SYN FIN, QID: 1000398, Category:
1011, Notes: Event description
Notify Select the check box if you want events that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard
interface.
For more information on the Dashboard interface,
see the QRadar Users Guide.
Note: If you enable notifications, we recommend
that you configure the Response Limiter parameter.

Add to Reference Set The Rules interface allows you to create rules to
import event and flow data into a reference set. A
reference set is a set of data, such as a list of IP
addresses. Once you have created a reference set,
you can create rules to detect when log or network
activity associated with the reference set occurs on
your network.
Select the check box if you want events that
generate as a result of this rule to add data to a
reference set.
To add data to a reference set:
1 Using the first drop-down list box, select the data you
want to add. Options include all normalized or custom
data.
2 Using the second drop-down list box, specify the
reference set to which you want to add the specified
data.
The Add to Reference Set rule response provides
the following functions:
• New - Allows you to add a new reference set.
Once you click New, you must configure the
following:
Name - Specify a unique name.
Type - Specify the data type. Options include
String, Numeric, IP, and Port.
Maximum number of elements - Specify the
maximum number of data elements you want to
store in this reference set. The default is 10,000
and the maximum is 500,000.
• Edit - Allows you to edit the reference set name
and maximum number of data elements for the
selected reference set.
• Delete - Allows you to delete the reference set.
• Purge - Allows you to delete the contents of the
reference set while maintaining the reference set.

Hint: You can create a reference set to contain
data derived from an external file. For example,
you can create a reference set to retain data
about terminated employees. First, you would
create a log source extension document to import
a text file containing terminated employee data,
such as IP addresses and usernames. Then
using the Custom Rule Wizard, create a reference
set specifying which data you want to retain from
the external file. Once the reference set is
created, you create a rule that generates a
response when a reference set element, such as
the IP address of a terminated employee, is
detected on your network. For more information
on log source extension documents, see the Log
Sources User Guide.
Response Limiter Specify the frequency you want this rule to respond.
Enable Rule Select the check box to enable this rule. By default,
the check box is selected.
b If you are configuring an Offense Rule:

Table 12-4 Offense Rule Response Window Parameters
Rule Action
Name / Annotate the detected Select the check box to display Name options.
offense
New Offense Name Specify the name you want to assign to the offense.
Offense Annotation Specify the offense annotation you want to appear in
Offense Name Select one of the following options:
name of the offense - Select this option if you
want the Event Name information to contribute to
the name of the offense.
name of the offense - Select this option if you
want the configured Event Name to be the name
of the offense.
Email Select the check box to display the email options. By
default, the check box is clear.
Enter email Specify the e-mail address(es) to send notification if
addresses to notify the event generates. Separate multiple e-mail
addresses using a comma.

Table 12-4 Offense Rule Response Window Parameters (continued)
Enabled parameter is enabled in the QRadar
For an offense rule, the SNMP trap output includes
system time, the trap OID, and the notification data,
as defined by the Q1 Labs MIB. For more
information on the Q1 Labs MIB, see Q1 Labs MIB.
-> 172.16.60.75:0 1, Event Name: ICMP
Send to SysLog Select the check box if you want to log the offense.
By default, the check box is clear.
ECS: Offense CRE Rule SYSLOGTest fired
on offense #59
Response Limiter Specify the frequency you want this rule to respond
for each offense that the rules matches.
Step 12 Click Next.

The Rule Summary window appears.
Step 13 Review the configured rule. Click Finish.
Creating an Anomaly detection rules perform tests on the results of saved flow or event
Anomaly Detection searches as a means to detect when unusual traffic patterns occur in your network.
Rule This rule category includes the following rule types:
• Anomaly - An anomaly rule tests event and flow traffic for abnormal activity
such as the existence of new or unknown traffic, which is traffic that suddenly
ceases or a percentage change in the amount of time an object is active. For
example, you can create an anomaly rule to compare the average volume of
traffic for the last 5 minutes with the average volume of traffic over the last hour.
If there is more than a 40% change, the rule generates a response.

• Threshold - A threshold rule tests event and flow traffic for activity that less
than, equal to, or greater than a configured threshold, or within a specified
range. Thresholds can be based on any data collected by QRadar. For
example, you can create a threshold rule specifying that no more than 220
clients can log into the server between 8 am and 5 pm. The threshold rule
generates an alert when the 221st client attempts to login.
• Behavioral - A behavioral rule tests event and flow traffic for volume changes
in behavior that occurs in regular seasonal patterns. For example, if a mail
server typically communicates with 100 hosts per second in the middle of the
night and then suddenly starts communicating with 1,000 hosts a second, a
behavioral rule generates an alert.
To create a new anomaly detection rule:

Step 1 Select the Log Activity or Network Activity tab.
The Log Activity or Network Activity interface window appears.
Step 2 Perform a search.
Note: Your search criteria must be aggregated. Anomaly detection rules uses all
grouping and filter criteria from the saved search criteria, but does not use any time
ranges from the search criteria. The Anomaly Detection Rule Wizard allows you to
apply time range criteria using Data and Time tests. For more information about
the search feature, see the QRadar Users Guide.
The search results appear.
Step 3 From the Rules menu, select the rule type you want to create. Options include:
• Add Anomaly Rule
• Add Threshold Rule
• Add Behavioral Rule
The Anomaly Detection Rule wizard appears.

Note: If you do not want to view the Welcome to the Anomaly Detection Rules
Wizard window again, select the Skip this page when running the rules wizard
check box.
The Choose which type of rule you wish to apply window appears. The default is
the rule type you selected in the Network Activity or Log Activity interface.

Step 5 If required, select the rule type you want to apply to the rule. Click Next.
The Rules Test Stack Editor window appears.

The rule is prepopulated with default test(s). You can edit the default test(s) or add
tests to the test stack. At least one Accumulated Property test must be included in
the test stack.
Step 6 To add a test to a rule:
a In the Test Group drop-down list box, select the type of test you want to apply to
this rule.
The resulting list of tests appear. For information on tests, see Appendix C
Rule Tests.
b For each test you want to add to the rule, select the + sign beside the test.
The selected test(s) appear in the Rule field.
c For each test added to the Rule field that you want to identify as an excluded
test, click and at the beginning of the test.
The and appears as and not.
d For each test added to the Rule field, you must customize the variables of the
test. Click the underlined configurable parameter to configure. See Appendix C
Rule Tests.
By default, the rule tests the selected accumulated property for each event/flow
group separately. For example, if the selected accumulated value is
UniqueCount(sourceIP), the rule tests each unique source IP address for each
event/flow group
Step 7 To test the total selected accumulated properties for each event/flow group, clear
the Test the [Selected Accumulated Property] value of each [group]
separately check box.
Note: This is a dynamic field. The [Selected Accumulated Property] value depends
on what option you select for the this accumulated property test field. For
information on tests, see Appendix C Rule Tests. The [group] value depends on
the grouping options specified in the saved search criteria. If multiple grouping
options are included, the text may be truncated. Move your mouse pointer over the
text to view all groups.
Step 8 In the enter rule name here field, enter a name you want to assign to this rule.
Step 9 In the groups area, select the check box(es) of the groups to which you want to
assign this rule. For more information on grouping rules, see Grouping Rules.
Step 10 In the Notes field, enter any notes you want to include for this rule. Click Next.
The Rule Responses window appears, which allows you to configure the action
QRadar takes when the event or flow sequence is detected.
Step 11 Configure the parameters:
Table 12-5 Anomaly Detection Rule Response Window Parameters
Rule Response

Table 12-5 Anomaly Detection Rule Response Window Parameters (continued)
Dispatch New Event Specifies that this rule dispatches a new event in
addition to the original event or flow, which will be
processed like all other events in the system.
By default, the check box is selected and cannot be
cleared.
Event Name Specify the name of the event you want to display in
Event Description Specify a description for the event. The description
appears in the Annotations of the event details.
Offense Naming Select one of the following options:
option if you want the Event Name information to
contribute to the name of the offense(s).
option if you want the configured Event Name to
be the name of the offense(s).
• This information should not contribute to the
naming of the associated offense(s) - Select
this option if you do not want the Event Name
information to contribute to the name of the
offense(s). This is the default.
details.
Credibility Specify the credibility of the event. The range is
0(lowest) to 10 (highest) and the default is 5.
details.
details.

details.
Credibility Specify the credibility of the event. The range is
0(lowest) to 10 (highest) and the default is 5.
details.
details.

Settings parameters are configured in the QRadar
The SNMP trap output includes system time, the
trap OID, and the notification data, as defined by the
Q1 Labs MIB. For more information on the Q1 Labs
MIB, see Appendix A Q1 Labs MIB.
-> 172.16.60.75:0 1, Event Name: ICMP
Send to SysLog Select the check box if you want to log the event or
flow. By default, the check box is clear.
ECS: Rule 'Name of Rule' Fired:
172.16.60.219:12642 ->
172.16.210.126:6666 6, Event Name:
SCAN SYN FIN, QID: 1000398, Category:
1011, Notes: Event description
Notify Select the check box if you want events that
generate as a result of this rule to appear in the
System Notifications item in the Dashboard
interface.
For more information on the Dashboard interface,
see the QRadar Users Guide.
Note: If you enable notifications, we recommend
that you configure the Response Limiter parameter.

Add to Reference Set The Rules interface allows you to create rules to
import event and flow data into a reference set. A
reference set is a set of data, such as a list of IP
addresses. Once you have created a reference set,
you can create rules to detect when log or network
activity associated with the reference set occurs on
your network.
Select the check box if you want events that
generate as a result of this rule to add data to a
reference set.
To add data to a reference set:
1 Using the first drop-down list box, select the data you
want to add. Options include all normalized or custom
data.
2 Using the second drop-down list box, specify the
reference set to which you want to add the specified
data.
The Add to Reference Set rule response provides
the following functions:
• New - Allows you to add a new reference set.
Once you click New, you must configure the
following:
Name - Specify a unique name.
Type - Specify the data type. Options include
String, Numeric, IP, and Port.
Maximum number of elements - Specify the
maximum number of data elements you want to
store in this reference set. The default is 10,000
and the maximum is 500,000.
• Edit - Allows you to edit the reference set name
and maximum number of data elements for the
selected reference set.
• Delete - Allows you to delete the reference set.
• Purge - Allows you to delete the contents of the
reference set while maintaining the reference set.

Managing Rules 185
Hint: You can create a reference set to contain
data derived from an external file. For example,
you can create a reference set to retain data
about terminated employees. First, you would
create a log source extension document to import
a text file containing terminated employee data,
such as IP addresses and usernames. Then
using the Custom Rule Wizard, create a reference
set specifying which data you want to retain from
the external file. Once the reference set is
created, you create a rule that generates a
response when a reference set element, such as
the IP address of a terminated employee, is
detected on your network. For more information
on log source extension documents, see the Log
Sources User Guide.
Response Limiter Specify the frequency you want this rule to respond.
Step 12 Click Next.

Step 13 Review the configured rule. Click Finish.
Managing Rules Using the Rules feature in the Offenses interface, you can manage custom and
anomaly rules. This section includes:
• Enabling/Disabling Rules
• Editing a Rule
• Copying a Rule
• Deleting a Rule
Note: The anomaly detection functionality in the Log Activity and Network
interfaces only allows you to create anomaly detection rules. To manage default
and previously created anomaly detection rules, you must use the Offenses
interface.

Enabling/Disabling To enable or disable a rule:

Rules
The rules interface appears.
The list of deployed rules appear.
Step 4 Select the rule you want to enable or disable.
For more information on each rule, see Appendix B Enterprise Template.
Step 5 Using the Actions drop-down list box, select Enable/Disable.
The Enabled column indicates the status.
Editing a Rule To edit a rule:

The Offenses interface appears.
Step 2 In the navigation bar, click Rules.
Step 4 Select the rule you want to edit.
Step 5 Using the Actions drop-down list box, select Edit.
The selected rule appears, displaying the Rule Test Stack Editor.
Step 6 Edit the parameters. See Table 12-1.
Step 7 Click Next.
The Rule Response window appears.
Step 8 Edit the parameters:
• See Table 12-3 for event, flow, or common rule parameters.
• See Table 12-4 for offense rule parameters.
• See Table 12-5 for anomaly detection rule parameters.
Step 9 Click Next.
Step 10 Review the edited rule. Click Finish.
Copying a Rule To copy a rule:


Grouping Rules 187

Step 4 Select the rule you want to duplicate.
Step 5 Using the Actions drop-down list box, select Duplicate.
Step 6 In the Enter name for the copied rule, enter a name for the new rule. Click Ok.
The duplicated rule appears.
Step 7 Using the Actions drop-down list box, select Edit.
Step 8 Edit the rule.
For more information on editing the rule, see Editing a Rule.
Deleting a Rule To delete a rule:

Step 4 Select the rule you want to delete.
Step 5 Using the Actions drop-down list box, select Delete.
Grouping Rules You can group and view your rules and building blocks based on your chosen
criteria. Categorizing your rules or building blocks into groups allows you to
efficiently view and track your rules. For example, you can view all rules related to
compliance. By default, the Rules interface displays all rules and building blocks.
As you create new rules, you can assign the rule to an existing group. For
information on assigning a group using the rule wizard, see Creating a Custom
Rule or Creating an Anomaly Detection Rule.
Note: You must have administrative access to create, edit, or delete groups. For
more information on user roles, see Chapter 2 Managing Users.
This section provides information on grouping rules and building blocks including:
• Viewing Groups
• Creating a Group
• Editing a Group
• Copying an Item to Another Group(s)
• Deleting an Item from a Group
• Assigning an Item to a Group

Viewing Groups To view rules or building blocks using groups:

Step 1 Click the Offenses tab.
Step 3 Using the Display drop-down list box, select whether you want to view Rules or
Building blocks.
Step 4 Form the Filter drop-down list box, select the group category you want to view.
Step 5 The list of items assigned to that group appear.
Creating a Group To create a group:

Step 3 Click Groups.
The Group window appears.
Step 4 From the menu tree, select the group under which you want to create a new group.
Note: Once you create the group, you can drag and drop menu tree items to
change the organization of the tree items.
Step 5 Click New Group.
The Group Properties window appears.

Grouping Rules 189

• Name - Specify the name you want to assign to the new group. The name may
• Description - Specify a description you want to assign to this group. The
description may be up to 255 characters in length.
Step 7 Click Ok.
Step 8 If you want to change the location of the new group, click the new group and drag
the folder to the desired location in your menu tree.
Step 9 Close the Groups window.
Editing a Group To edit a group:


Step 4 From the menu tree, select the group you want to edit.
Step 5 Click Edit.
The Group Properties window appears.
Step 6 Update values for the parameters, as necessary:
• Name - Specify the name you want to assign to the new group. The name may
• Description - Specify a description you want to assign to this group. The
description may be up to 255 characters in length.
Step 7 Click Ok.
Step 8 If you want to change the location of the group, click the new group and drag the
folder to the desired location in your menu tree.
Copying an Item to Using the groups functionality, you can move a rule or building block to one or
Another Group(s) many groups. To move a rule or building block:
The Offense interface appears.

Grouping Rules 191
Step 4 From the menu tree, select the rule or building block you want to move to another
group.
Step 5 Click Copy.
The Choose Group window appears.
Step 6 Select the check box for the group(s) to which you want to move the rule or
building block.
Step 7 Click Copy.

Deleting an Item from To delete a rule or building block from a group:

a Group
Note: Deleting a group removes this rule or building block from the Rules
interface. Deleting an item from a group does not delete the rule or building block
from the Rules interface.
Step 1 Click the Offense tab.
Step 4 From the menu tree, select the top level group.
Step 5 From the list of groups, select the group you want to delete.
Step 6 Click Remove.
Step 7 Click Ok.
Step 8 If you want to change the location of the new group, click the new group and drag
the folder to the desired location in your menu tree.
Assigning an Item to To assign a rule or building block to a group:

a Group
Step 3 Select the rule or building block you want to assign to a group.
Step 4 Using the Actions drop-down list box, select Assign Groups.
The Choose Group window appears.
Step 5 Click Assign Groups.
Editing Building Building blocks allow you to re-use specific rule tests in other rules. For example,
Blocks you can save a building block that excludes the IP addresses of all mail servers in
your deployment from the rule.
For more information on the defaults, see Appendix B Enterprise Template.
To edit a building block:


Editing Building Blocks 193

The rules window appears.
Step 3 In the Display drop-down list box, select Building Blocks.
The Building Blocks appear.
Step 4 Double-click the building block you want to edit.
The Custom Rules Wizard appears.
Step 5 Update the building block, as necessary. Click Next.

Step 6 Continue through the wizard. For more information, see Creating a Custom Rule.
The Rule Summary appears.


The Server Discovery function uses QRadar’s Asset Profile database to discover
different server types based on port definitions, then allows you to select which
servers should be added to a server-type building block. This feature makes the
discovery and tuning process simpler and faster by allowing a quick mechanism to
insert servers into building blocks.
The Server Discovery function is based on server-type building blocks. Ports are
used to define the server type so that the server-type building block essentially
functions as a port-based filter when searching the Asset Profile database.
For more information on building blocks, see Chapter 11 Configuring Rules.
To discover servers:
Step 1 Click the Assets tab.
The Assets interface appears.
Step 2 In the navigation menu, click Server Discovery.
The Server Discovery panel appears.
Step 3 From the Server Type drop-down list box, select the server type you want to
discover.
Step 4 Select the option to determine the servers you want to discover including:
• All - Search all servers in your deployment with the currently selected Server
Type.
• Assigned - Search servers in your deployment that have been previously
assigned to the currently selected Server Type.
• Unassigned - Search servers in your deployment that have not been
previously assigned.
Step 5 From the Network drop-down list box, select the network you want to search.
Step 6 Click Discover Servers.
The discovered servers appear.

Step 7 In the Matching Servers table, select the check box(es) of all servers you want to
assign to the server role.
Note: If you want to modify the search criteria, click either Edit Port or Edit
Definition. The Rules Wizard appears. For more information on the rules wizard,
see Chapter 11 Configuring Rules.
Step 8 Click Approve Selected Servers.

QRadar allows you to forward received log data to other products. You can forward
syslog data (raw log data) received from devices as well as QRadar normalized
event data. You can forward data on a per Event Collector/Event Processor basis
and you can configure multiple forwarding destinations. Also, QRadar ensures that
all data that is forwarded is unaltered.

• Adding a Syslog Destination
• Editing a Syslog Destination
• Delete a Syslog Destination
Adding a Syslog To add a syslog forwarding destination:

Destination
Step 3 Click the Syslog Forwarding Destinations icon.
The Syslog Forwarding Destinations window appears.
Step 4 Click Add.



• Forwarding Event Collector - Using the drop-down list box, select the
deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data.
• Port - Enter the port number on the system to which you want to forward log
data.
Step 6 Click Save.
Editing a Syslog To edit a syslog forwarding destination:

Destination
Step 4 Select the entry you want to edit.
Step 5 Click Edit.
Step 6 Update values, as necessary:

• Forwarding Event Collector - Using the drop-down list box, select the
deployed Event Collector from which you want to forward log data.
• IP - Enter the IP address of the system to which you want to forward log data.
• Port - Enter the port number on the system to which you want to forward log
data.
Step 7 Click Save.

Delete a Syslog Destination 199
Delete a Syslog To delete a syslog forwarding destination:

Destination
Step 4 Select the entry you want to delete.
Step 6 Click Ok.

A Q1 LABS MIB
This appendix provides information on the Q1 Labs Management Information Base

(MIB). The Q1 Labs MIB allows you to send SNMP traps to other network
management systems. The Q1 Labs OID is 1.3.6.1.4.1.20212.
Note: For assistance with the Q1 Labs MIB, please contact Q1 Labs Customer
Support.
The Q1 Labs MIB includes:

Q1LABS-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32,
Opaque, enterprises, Counter32 FROM SNMPv2-SMI
DisplayString FROM SNMPv2-TC;
q1Labs MODULE-IDENTITY
LAST-UPDATED "200804110000Z"
ORGANIZATION "Q1 Labs Inc"
CONTACT-INFO
"
890 Winter Street
Suite 230
Waltham, MA 02451 USA
Phone: 781-250-5800
email: info@q1labs.com
"
DESCRIPTION
"Q1 Labs MIB Definition"
::= { enterprises 20212 }
notifications OBJECT IDENTIFIER ::= { q1Labs 1 }
properties OBJECT IDENTIFIER ::= { q1Labs 2 }
customProperties OBJECT IDENTIFIER ::= { q1Labs 3 }
-- Notifications

202 Q1 LABS MIB
eventCRENotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "QRADAR's Event CRE Notification"
::= { notifications 1 }
offenseCRENotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "QRADAR's Offense CRE Notification"
::= { notifications 2 }
-- Properties
-- Misc Properties
localHostAddress OBJECT-TYPE
SYNTAX IpAddress
MAX-ACCESS accessible-for-notify
STATUS current
DESCRIPTION "IP address of the local machine where the
notification originated"
::= { properties 1 }
timeString OBJECT-TYPE
SYNTAX DisplayString (SIZE(0..64))
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired. Example 'Mon Apr 28 10:14:49 GMT 2008'"
timeInMillis OBJECT-TYPE
SYNTAX Counter64
STATUS current
DESCRIPTION "Time offense was created or time the event rule
fired in milliseconds"
-- Offense Properties
offenseID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense ID"
offenseName OBJECT-TYPE

203

STATUS current
DESCRIPTION "Name of the Offense"
offenseDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description of the Offense"
offenseLink OBJECT-TYPE
STATUS current
DESCRIPTION "HTTP link to the offense"
magnitude OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense magnitude"
severity OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense severity"
creditibility OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Offense creditibility"
relevance OBJECT-TYPE
SYNTAX Integer32

204 Q1 LABS MIB
STATUS current
DESCRIPTION "Offense relevance"
-- Attacker Properties
attackerIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Attacker IP"
attackersUserName OBJECT-TYPE
STATUS current
DESCRIPTION "Attacker's User Name"
attackerCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Attackers"
top5AttackerIPs OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"
topAttackerIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Top Attacker IPs"
top5AttackerUsernames OBJECT-TYPE
STATUS current

205
DESCRIPTION "Top 5 Attackers by Magnitude(comma separated)"

topAttackerUsername OBJECT-TYPE
STATUS current
DESCRIPTION "Top Attacker IPs"
attackerNetworks OBJECT-TYPE
STATUS current
DESCRIPTION "Attacker Networks(comma separated)"
-- Target Properties
targetIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Target IP"
targetsUserName OBJECT-TYPE
STATUS current
DESCRIPTION "Target's User Name"
targetCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Targets"
top5TargetIPs OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Target IPs by Magnitude"

206 Q1 LABS MIB
topTargetIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Top Target"
top5TargetUsernames OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Target IPs by Magnitude"
topTargetUsername OBJECT-TYPE
STATUS current
DESCRIPTION "Top Target"
targetNetworks OBJECT-TYPE
STATUS current
DESCRIPTION "Target Networks(comma separated)"
-- Category properties
categoryCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Categories"
top5Categories OBJECT-TYPE
STATUS current
DESCRIPTION "Top 5 Categories(comma separated)"

207
topCategory OBJECT-TYPE
STATUS current
DESCRIPTION "Top Category"
categoryID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Category ID of Event that triggered the Event
CRE Rule"
category OBJECT-TYPE
STATUS current
DESCRIPTION "Category of the Event that triggered the Event
CRE Rule"
-- Annontation Properties
annotationCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Annotations"
topAnnotation OBJECT-TYPE
STATUS current
DESCRIPTION "Top Annotation"
-- Rule Properties
ruleCount OBJECT-TYPE
SYNTAX Integer32
STATUS current

208 Q1 LABS MIB
DESCRIPTION "Total Number of Rules contained in the

Offense"
ruleNames OBJECT-TYPE
STATUS current
DESCRIPTION "Names of the Rules that contributed to the
Offense(comma separated)"
ruleID OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "ID of the Rule that was triggered in the CRE"
ruleName OBJECT-TYPE
STATUS current
DESCRIPTION "Name of the Rules that was triggered in the
CRE"
ruleDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description/Notes of the Rules that was
triggered in the CRE"
-- Event Properties
eventCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Total Number of Events contained in the
Offense"
eventID OBJECT-TYPE

209
SYNTAX Integer32
STATUS current
DESCRIPTION "ID of the Event that triggered the Event CRE
Rule"
qid OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "QID of the Event that triggered the Event CRE
Rule"
eventName OBJECT-TYPE
STATUS current
DESCRIPTION "Name of the Event that triggered the Event CRE
Rule"
eventDescription OBJECT-TYPE
STATUS current
DESCRIPTION "Description/Notes of the Event that triggered
the Event CRE Rule"
-- IP Properties
sourceIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Source IP of the Event that triggered the
Event CRE Rule"
sourcePort OBJECT-TYPE
SYNTAX Integer32
STATUS current

210 Q1 LABS MIB
DESCRIPTION "Source Port of the Event that triggered the

Event CRE Rule"
destinationIP OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION "Destination IP of the Event that triggered the
Event CRE Rule"
destinationPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Destination Port of the Event that triggered
the Event CRE Rule"
protocol OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Protocol of the Event that triggered the Event
CRE Rule"
attackerPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Source Port of the Event that triggered the
Event CRE Rule"
targetPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION "Destination Port of the Event that triggered
the Event CRE Rule"
-- =====================

211
-- *** Obselete OIDs ***

-- =====================
q1NotificationData OBJECT-TYPE
STATUS current
DESCRIPTION "Notification Data"
::= { q1Labs 100 }
q1NotificationsOBJECT IDENTIFIER
::= { q1Labs 200 }
q1CRENotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "QRADAR Custom Rule Engine Notification"
::= { q1Notifications 0 }
q1EventRuleNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by a QRadar Custom
Event Rule"
q1OffenseRuleNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by a QRadar Custom
Offense Rule"
q1SentryNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by a QRadar Sentry"
END

B ENTERPRISE TEMPLATE
The Enterprise template includes settings with emphasis on internal network

activities. This appendix provides the defaults for the Enterprise template
including:
• Default Rules
• Default Building Blocks
Default Rules Default rules for the Enterprise template include:

Table B-1 Default Rules
Rule Enabl
Rule Group Type ed Description
Anomaly: Devices with Anomaly Event False Monitors devices for high event rates. Typically, the
High Event Rates default threshold is low for most networks and we
recommend that you adjust this value before
enabling this rule. To configure which devices will
be monitored, edit the BB:DeviceDefinition: Devices
to Monitor for High Event Rates BB.
Anomaly: DMZ Jumping Anomaly Common False Reports when connections are bridged across your
network’s Demilitarized Zone (DMZ).
Anomaly: DMZ Reverse Anomaly Common False Reports when connections are bridged across your
Tunnel network’s DMZ through a reverse tunnel.
Anomaly: Excessive Anomaly Event True Reports an excessive number of successful
Database Connections database connections.
Anomaly: Excessive Anomaly Event False Reports excessive firewall accepts across multiple
Firewall Accepts Across hosts. More than 100 events were detected across
Multiple Hosts at least 100 unique destination IP addresses in 5
minutes.
Anomaly: Excessive Anomaly Event False Reports excessive firewall accepts from multiple
Firewall Accepts Across hosts to a single destination. Detects more than 100
Multiple Sources to a firewall accepts across more than 100 sources IP
Single Destination addresses within 5 minutes.
Anomaly: Excessive Anomaly Event True Reports excessive firewall denies from a single
Firewall Denies from host. Detects more than 400 firewall deny attempts
Single Source from a single source to a single destination within 5
minutes.

214 ENTERPRISE TEMPLATE
Table B-1 Default Rules (continued)
Rule Enabl
Anomaly: Long Duration Anomaly Flow True Reports a flow communicating to or from the
Flow Involving a Internet with a sustained duration of more than 48
Remote Host hours.
Anomaly: Long Duration Anomaly Flow False Reports a flow communicating using ICMP with a
ICMP Flows sustained duration of more than 60 minutes.
Anomaly: Outbound Anomaly Event False Reports successful logins or access from an IP
Connection to a Foreign address known to be in a country that does not
Country have remote access right. Before you enable this
rule, we recommend that you configure the
BB:CategoryDefinition: Countries with no Remote
Access BB.
Anomaly: Potential Anomaly Event False Reports an event that has a source or destination IP
Honeypot Access address defined as a honeypot or tarpit address.
Before enabling this rule, you must configure the
BB:HostDefinition: Honeypot like addresses BB.
Anomaly: Remote Anomaly Event False Reports successful logins or access from an IP
Access from Foreign address known to be in a country that does not
Country have remote access right. Before you enable this
rule, we recommend that you configure the
Access BB.
Anomaly: Remote Anomaly Flow False Reports a flow communicating from an IP address
Inbound Communication known to be in a country that does not have remote
from a Foreign Country access right. Before you enable this rule, we
recommend that you configure the
Access BB.
Anomaly: Single IP with Anomaly Event False Reports when the MAC address of a single IP
Multiple MAC address changes multiple times over a period of
Addresses time.
Authentication: Login Authentication Event False Reports a host login failure message from a
Failure to Disabled disabled user account. If the user is no longer a
Account member of your organization, we recommend that
you investigate other received authentication
messages from the same user.
Authentication: Login Authentication Event False Reports a host login failure message from an
Failure to Expired expired user account known. If the user is no longer
Account a member of the organization, we recommend that
you investigate any other received authentication
messages from the same user.
Authentication: Login Authentication Event True Reports multiple login failures to a single
Failures Followed By destination IP address, followed by a successful
Success to the same login to the destination IP address.
Destination IP

Default Rules 215
Rule Enabl
Authentication: Login Authentication Event True Reports multiple login failures from a single source
Failures Followed By IP address, followed by a successful login.
Success From Single
Source IP
Authentication: Login Authentication Event True Reports multiple login failures followed by a
Failures Followed By successful login from the same user.
Success to the same
Username
Authentication: Login Authentication Common True Reports a successful login to a host after
Successful After Scan reconnaissance has been detected on his network.
Attempt
Authentication: Multiple Authentication Event True Reports authentication failures for the same
Login Failures for Single username.
Username
Authentication: Multiple Authentication Event True Reports authentication failures from the same
Login Failures from the source IP address to more than three destination IP
Same Source address more than ten times within 5 minutes.
Authentication: Multiple Authentication Event True Reports authentication failures to the same
Login Failures to the destination IP address from more than ten source
Same Destination IP addresses more than ten times within 10
minutes.
Authentication: Multiple Authentication Event False Reports multiple login failures to a VoIP PBX host.
VoIP Login Failures
Authentication: No Authentication Event False Reports when the configured user(s) have not
Activity for 60 Days logged in to the host for over 60 days
Authentication: Possible Authentication Event False Reports when an account is shared. We
Shared Accounts recommend that you add system accounts, such as
root and admin to the following negative test: and
NOT when the event username matches the
following.
Authentication: Repeat Authentication Event False Reports when a source IP address causes an
Non-Windows Login authentication failure event at least seven times to a
Failures single destination IP address within 5 minutes.
Authentication: Repeat Authentication Event False Reports when a source IP address causes an
Windows Login Failures authentication failure event at least nine times to a
single Windows host within 1 minute.
Botnet: Local Host on Botnet Common True Reports when a source IP address is a member of a
Botnet CandC List known Botnet CandC host.
(SRC)
Botnet: Local host on Botnet Common True Reports when a local destination IP address is a
Botnet CandC List member of a known Botnet CandC host.
(DST)
Botnet: Potential Botnet Botnet Common False Reports a host connecting or attempting to connect
Connection (DNS) to a DNS server on the Internet. This may indicate a
host connecting to a Botnet.

Rule Enabl
Botnet: Potential Botnet Botnet Event True Enable this rule if you want all events categorized
Events Become as exploits to create an offense.
Offenses
Botnet: Potential Botnet Common True Reports when a potential connection to a know
connection to known BotNet CandC host is detected. To reduce false
Botnet CandC positive offenses, connections on ports 25 and 53
are removed from the rule.
Botnet: Successful Botnet Common True Reports when a successful inbound connection
Inbound Connection from a BotNet CandC host in detected.
from a Known Botnet
CandC
Policy: Remote: IRC Botnet, Policy Common True Reports a local host issuing an excessive number of
Connections IRC connections to the Internet.
Compliance: Auditing Compliance Event False Reports when auditing services are stopped on a
Services Stopped on compliance host. Before enabling this rule, define
Compliance Host the hosts in the compliance definition BBs and
verify that the events for the audit service stopped
for your host are in the BB: CategoryDefinition:
Auditing Stopped building block.
Compliance: Compliance Event False Reports compliance-based events, such as clear
Compliance Events text passwords.
Become Offenses
Compliance: Compliance Event False Reports configuration change made to device in
Configuration Change compliance network. Before you enable this rule,
Made to Device in edit the device list to include the devices you want
Compliance network reported.
Compliance: Excessive Compliance Event False Reports excessive authentication failures to a
Failed Logins to compliance server within 10 minutes.
Compliance IS
Compliance: Multiple Compliance Event False Reports multiple failed logins to a compliance asset.
Failed Logins to a
Compliance Asset
Compliance: Traffic Compliance Common True Reports traffic from the DMZ to an internal network.
from DMZ to Internal This is typically not allowed under compliance
Network regulations. Before enabling this rule, make sure
the DMZ object is defined in your network hierarchy.
Compliance: Traffic Compliance Common True Reports traffic from an untrusted network to a
from Untrusted Network trusted network. Before enabling this rule, edit the
to Trusted Network following BBs: BB:NetworkDefinition: Untrusted
Network Segment and BB:NetworkDefinition:
Trusted Network Segment.
Database: Attempted Compliance Event True Reports when a configuration modification is
Configuration attempted to a database server from a remote
Modification by a remote network.
host

Default Rules 217
Rule Enabl
Database: Concurrent Compliance Event True Reports when several authentications to a database
Logins from Multiple server occur across multiple remote IP addresses.
Locations
Vulnerabilities: Compliance Event False Reports when a vulnerability is discovered on a
Vulnerability Reported local host.
by Scanner
Database: Attempted Database Event True Reports when a configuration modification is
Configuration attempted to a database server from a remote
Modification by a remote network.
host
Database: Concurrent Database Event True Reports when multiple remote IP addresses
Logins from Multiple concurrently login to a database server.
Locations
Database: Failures Database Event True Reports when login failures are followed by the
Followed by User addition or change of a user account.
Changes
Database: Groups Database Event True Monitors changes to groups on a database when
changed from Remote the change is initiated from a remote network.
Host
Database: Multiple Database Event True Reports when there are multiple database failures
Database Failures followed by a success within a short period of time.
Followed by Success
Database: Remote Database Event True Reports when a login failure from a remote source
Login Failure IP address to a database server is detected.
Database: Remote Database Event True Reports when a successful authentication occurs to
Login Success a database server from a remote network.
Database: User Rights Database Event True Reports when changes to database user privileges
Changed from Remote are made from a remote network.
Host
DDoS: DDoS Attack D\DoS Event True Reports network Distributed Denial of Service
Detected (DDoS) attacks on a system.
DDoS: DDoS Events D\DoS Event True Reports when offenses are created for DoS-based
with High Magnitude events with high magnitude.
Become Offenses
DDoS: Potential DDoS D\DoS Flow False Reports when more than 500 hosts send packets to
Against Single Host a single destination using ICMP in one minute and
(ICMP) there is no response.
DDoS: Potential DDoS D\DoS Flow False Reports when more than 500 hosts send packets to
Against Single Host a single destination using IPSec or an uncommon
(Other) protocol in one minute and there is no response.
DDoS: Potential DDoS D\DoS Flow True Reports when more than 500 hosts send packets to
Against Single Host a single destination using TCP in one minute and
(TCP) there is no response.

Rule Enabl
DDoS: Potential DDoS D\DoS Flow False Detects when more than 500 hosts send packets to
Against Single Host a single destination using UPD in one minute and
(UDP) there is no response.
DoS: DoS Events from D/DoS Event False Reports when DoS attack events are identified on
Darknet Darknet network ranges.
DoS: DoS Events with D\DoS Event True Rule forces the creation of an offense for DoS
High Magnitude based events with a high magnitude.
Become Offenses
DoS: Local Flood D\DoS Flow False Reports when a single local host sends more than
(ICMP) three flows containing 60,000 packets to an Internet
destination using ICMP in 5 minutes.
DoS: Local Flood D\DoS Flow False Reports when a single local host sends more than
(Other) three flows containing 60,000 packets to an Internet
destination using IPSec or an uncommon protocol
in 5 minutes.
DoS: Local Flood (TCP) D\DoS Flow True Reports when a single local host sends more than
60,000 packets at a packet rate of 1,000 packets
per second to an Internet destination using TCP.
DoS: Local Flood (UDP) D\DoS Flow False Reports when a single local host sends more than
three flows containing 60,000 packets to an Internet
destination using UDP in 5 minutes.
DoS: Network DoS D\DoS Event True Reports network Denial of Service (DoS) attacks on
Attack Detected a system.
DoS: Remote Flood D\DoS Flow False Reports when a single host on the Internet
(ICMP) containing than 60,000 packets to an Internet
destination using ICMP in 5 minutes.
DoS: Remote Flood D\DoS Flow False Reports when a single host on the Internet sends
(Other) more than three flows containing 60,000 packets to
an Internet destination using IPSec or an
uncommon protocol in 5 minutes.
(TCP) more than three flows containing than 60,000
packets to an Internet destination using TCP in 5
minutes.
(UDP) more than three flows containing 60,000 packets to
an Internet destination using UDP in 5 minutes.
DoS: Service DoS D\DoS Event True Reports a DoS attack against a local destination IP
Attack Detected address that is known to exist and the target port is
open.

Default Rules 219
Rule Enabl
Botnet: Potential Botnet Exploit Common False Reports a host connecting or attempting to connect
Connection (DNS) to a DNS server on the Internet. This may indicate a
host connecting to a Botnet. The host should be
investigated for malicious code. Before you enable
this rule, configure the BB:HostDefinition: DNS
Servers BB.
Note: Laptops that include wireless adapters may
cause this rule to generate alerts since the laptops
may attempt to communicate with another IDPs
DNS server. If this occurs, define the ISPs DNS
server in the BB:HostDefinition: DNS Servers BB.
Exploit:All Exploits Exploit Event False Reports all exploit events. By default, this rule is
Become Offenses disabled. Enable this rule if you want all events
categorized as exploits to create an offense.
Exploit: Attack followed Exploit Event False Reports when exploit events are followed by typical
by Attack Response responses, which may indicate a successful exploit.
Exploit: Chained Exploit Exploit Event True Reports exploit activity from a source IP address
Followed by Suspicious followed by suspicious account activity to a third
Events host from the same destination IP address as the
original exploit within 15 minutes.
Exploit: Destination Exploit Event True Reports an exploit against a vulnerable local
Vulnerable to Detected destination IP address, where the destination IP
Exploit address is known to exist, and the host is
vulnerable to the exploit.
Exploit: Destination Exploit Event True Reports an exploit against a vulnerable local
Vulnerable to Detected destination IP address, where the destination IP
Exploit on a Different address is known to exist, and the host is
Port vulnerable to the exploit on a different port.
Exploit: Destination Exploit Event False Reports an exploit against a vulnerable local
Vulnerable to Different destination IP address, where the target is known to
Exploit than Attempted exist, and the host is vulnerable to some exploit but
on Targeted Port not the one being attempted.
Exploit: Exploit Followed Exploit Event False Reports an exploit from a source IP address
by Suspicious Host followed by suspicious account activity on the
Activity destination host within 15 minutes.
Exploit: Exploit/Malware Exploit Event True Reports a source IP address generating multiple (at
Events Across Multiple least five) exploits or malicious software (malware)
Destinations events in the last 5 minutes. These events are not
targeting hosts that are vulnerable and may indicate
false positives generating from a device.
Exploit: Exploits Events Exploit Event True Rule generates offenses for exploit-based events
with High Magnitude with a high magnitude.
Become Offenses

Rule Enabl
Exploit: Exploits Exploit Event False Reports when exploit events are followed by firewall
Followed by Firewall accept events, which may indicate a successful
Accepts exploit.
Exploit: Multiple Exploit Exploit Event True Reports a destination IP address being exploited
Types Against Single using multiple types of exploit types from one or
Destination more source IP address.
Exploit: Multiple Vector Exploit Event False Reports when a source IP address attempts
Attack Source multiple attack vectors. This may indicate a source
IP address specifically targeting an asset.
Exploit: Potential VoIP Exploit Event False Reports when at least three failed login attempts
Toll Fraud within 30 seconds followed by sessions being
opened are detected on your VoIP hardware. This
action could indicate that illegal users are executing
VoIP sessions on your network.
Exploit: Recon followed Exploit Event True Reports reconnaissance events followed by an
by Exploit exploit from the same source IP address to the
same destination port within 1 hour.
Exploit: Source Exploit Event False Reports an exploit from a local host where the
Vulnerable to any source IP address has at least one vulnerability to
Exploit any exploit. It is possible the source IP address was
a destination IP address in an earlier offense.
Exploit: Source Exploit Event False Reports an attack from a local host where the
Vulnerable to this source IP address has at least one vulnerability to
Exploit the exploit being used. It is possible the source IP
address was a destination IP address in an earlier
offense.
FalsePositive: False False Positive Event True Reports events that include false positive rules and
Positive Rules and BBs, such as, BB:FalsePositive: Windows Server
Building Blocks False Positive Events. Events that match the rule
are stored and dropped from the event pipeline. If
you add any new BBs or rules to remove events
from becoming offenses, you must add these new
rules or BBs to this rule.
Magnitude Adjustment: Magnitude Common True Adjusts the relevance of flows and events when
Context is Local to Local Adjustment there is local to local communication
Context is Local to Adjustment there is local to remote communication.
Remote
Context is Remote to Adjustment there is remote to local communication.
Local
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of flows and
Destination Asset Exists Adjustment events where the destination is a local asset.

Default Rules 221
Rule Enabl
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of events and
Destination Asset Port is Adjustment flows when the destination port is known to be
Open active.
Magnitude Adjustment: Magnitude Common True Adjusts the relevance of events and flows if the
Destination Network Adjustment destination network weight is high.
Weight is High
Destination Network Adjustment destination network weight is low.
Weight is Low
Destination Network Adjustment destination network weight is medium.
Weight is Medium
Magnitude Adjustment: Magnitude Common True Adjusts the severity of events and flows when the
Source Address is a Adjustment source IP is a known bogon address. Traffic from
Bogon IP known bogon addresses may indicate the possibility
of the source IP address being spoofed.
Magnitude Adjustment: Magnitude Common True Adjusts the severity of events and flows when the
Source Address is a Adjustment source IP is a known questionable host.
Known Questionable IP
Magnitude Adjustment: Magnitude Common True Adjusts the relevance and credibility of flows and
Source Asset Exists Adjustment events where the source is a local asset.
Source Network Weight Adjustment source network weight is high.
is High
Source Network Weight Adjustment source network weight is low.
is Low
Source Network Weight Adjustment source network weight is medium.
is Medium
Malware: Malware Flow False Reports communication with a web site that has
Communication with a been involved in previous SQL injection.
site that has been
involved in previous
SQL injection
Malware: Malware Flow True Reports communication with a web site that is listed
Communication with a on a known blacklist or uses fast flux.
site that is listed on a
known blacklist or uses
fast flux
Malware: Malware Flow False Reports communication with a web site known to
Communication with a aid in distribution of malware.
web site known to aid in
distribution of malware

Rule Enabl
Malware: Malware Flow False Reports communication with a web site known to be
Communication with a a phishing or fraud site.
web site known to be a
Note: Phishing is the process of attempting to
phishing or fraud side
acquire information such as usernames, passwords
and credit card details by pretending to be a
trustworthy entity.
Malware: Malware Flow True Reports communication with a web site known to be
Communication with a associated with the Russian business network.
web site known to be
associated with the
Russian business
network
Communication with a delivering code which may be a trojan.
delivering code which
may be a trojan
Communication with a involved in botnet activity.
involved in botnet
activity
Malware: Local Host Malware Event False Reports malware being sent from local hosts.
Sending Malware
Malware: Remote: Malware Flow True Reports when a host is attempting to connect to a
Client Based DNS DNS server that is not defined as a local network.
Activity to the Internet
Malware: Treat Malware Event False Reports events categorized as backdoor, virus, and
Backdoor, Trojans and trojan. Enable this rule if you want all events
Virus Events as categorized as backdoor, virus, and trojan to create
Offenses an offense.
Malware: Treat Key Malware Event False Reports events categorized as key loggers. Enable
Loggers as Offenses this rule if you want all events categorized as key
logger to create an offense.
Malware: Treat Malware Event False Reports non-spyware malware events. Enable this
Non-Spyware Malware rule if you want all events categorized as malware
as Offenses to create an offense.
Malware: Treat Spyware Malware Event False Reports spyware and/or a virus events. Enable this
and Virus as Offenses rule if you want all events categorized as Virus or
Spyware to create an offense.
Policy: Connection to a Policy Common True Reports events or flows associated with remote
remote proxy or proxy and anonymization services.
anonymization service

Default Rules 223
Rule Enabl
Policy: Connection to Policy Common False Reports events or flows connecting to the Internet
Internet on on unauthorized ports.
Unauthorized Port
Policy: Create Offenses Policy Flow False Reports flows associated with chat traffic.
for All Chat Traffic
based on Flows
Policy: Create Offenses Policy Event False Reports Instant Messenger traffic or any event
for All Instant categorized as Instant Messenger traffic where the
Messenger Traffic source is local and the destination IP address is
remote.
Policy: Create Offenses Policy Event False Reports Peer-to-Peer (P2P) traffic or any event
for All P2P Usage categorized as P2P.
Policy: Create Offenses Policy Event False Reports policy events. By default, this rule is
for All Policy Events disabled. Enable this rule if you want all events
categorized as policy to create an offense.
Policy: Create Offenses Policy Event False Reports any traffic that contains illicit materials or
for All Porn Usage any event categorized as porn. By default, this rule
is disabled. Enable this rule if you want all events
categorized as porn to create an offense.
Policy: Host has SANS Policy Event False Reports when an event is detected on an asset that
Top 20 Vulnerability is vulnerable to a vulnerability identified in the
SANS Top 20 Vulnerabilities.
(www.sans.org/top20/)
Policy: Large Outbound Policy Flow True Reports a single host sending more data out of the
Transfer High Rate of network than received. This rule detects over 2 MB
Transfer of data transferred over 12 minutes.
Policy: Large Outbound Policy Flow True Reports a single host sending more data out of the
Transfer Slow Rate of network than received. This rule detects over 2 MB
Transfer of data transferred over 2 hour. This is fairly slow
and could indicate stealthy data leakage.
Policy: Local: Clear Text Policy Flow False Reports flows to or from the Internet where the
Application Usage application type uses clear text passwords. This
may include applications such as Telnet or FTP.
Policy: Local: Hidden Policy Flow True Reports a FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP
on other ports may indicate an exploited host,
where this server provides backdoor access to the
host.
Policy: Local: SSH or Policy Flow True Reports a SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Port TCP ports 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where these servers provide backdoor access
to the host.

Rule Enabl
Policy: New DHCP Policy Flow False Reports when a DHCP server is discovered on the
Server Discovered network.
Policy: New Host Policy Event False Reports when a new host has been discovered on
Discovered the network.
Policy: New Host Policy Event False Reports when a new host has been discovered in
Discovered in DMZ the DMZ.
Policy: New Service Policy Event False Reports when a new service is discovered on an
Discovered existing host.
Policy: New Service Policy Event False Reports when a new service has been discovered
Discovered in DMZ on an existing host in the DMZ.
Policy: Possible Local Policy Common True Reports a local host running a service on a typical
IRC Server IRC port or a flow that was detected as IRC. This is
not typical for enterprises and should be
investigated.
Policy: Remote: Clear Policy Flow True Reports flows to or from the Internet where the
Text Application Usage application type uses clear text passwords. This
based on Flows may include applications such as Telnet or FTP.
Policy: Remote: Hidden Policy Flow True Reports an FTP server on a non-standard port. The
FTP Server default port for FTP is TCP port 21. Detecting FTP
on other ports may indicate an exploited host,
where this server to provide backdoor access to the
host.
Policy: Remote: IM/Chat Policy Flow True Reports an excessive amount of IM/Chat traffic
from a single source.
Policy: Remote: IRC Policy Common False Reports a local host issuing an excessive number of
Connections IRC connections to the Internet.
Policy: Remote: Local Policy Flow True Reports local hosts operating as a P2P client. This
P2P Client Connected indicates a violation of local network policy and may
to more than 100 indicate illegal activities, such as copyright
Servers infringement.
Policy: Remote: Local Policy Flow False Reports local hosts operating as a P2P client. This
P2P Client Detected indicates a violation of local network policy and may
indicate illegal activities, such as copyright
infringement.
Policy: Remote: Local Policy Flow True Reports local hosts operating as a P2P server. This
P2P Server connected indicates a violation of local network policy and may
to more than 100 Clients indicate illegal activities, such as copyright
infringement.
Policy: Remote: Local Policy Flow False Reports local hosts operating as a P2P server. This
P2P Server Detected indicates a violation of local network policy and may
indicate illegal activities, such as copyright
infringement.

Default Rules 225
Rule Enabl
Policy: Remote: Long Policy Flow True Reports a flow communicating to the Internet with a
Duration Flow Detected sustained duration of more than 48 hours. This is
not typical behavior for most applications.
Investigate the host for potential malware infections.
Policy: Remote: Policy Flow True Reports potential tunneling that can be used to
Potential Tunneling bypass policy or security controls.
Policy: Remote: Remote Policy Flow True Reports the Microsoft Remote Desktop Protocol
Desktop Access from from the Internet communicating to a local host.
the Internet Most companies consider this a violation of
corporate policy. If this is normal activity on your
network, you should disable this rule.
Policy: Remote: SMTP Policy Flow True Reports a local host sending a large number of
Mail Sender SMTP flows from the same source to the Internet in
one interval. This may indicate a mass mailing,
worm, or spam relay is present.
Policy: Remote: SSH or Policy Flow True Reports a SSH or Telnet server on a non-standard
Telnet Detected on port. The default port for SSH and Telnet servers is
Non-Standard Port TCP port 22 and 23. Detecting SSH or Telnet
operating on other ports may indicate an exploited
host, where these servers provide backdoor access
to the host.
Policy: Remote: Usenet Policy Flow True Reports flows to or from a Usenet server. It is
Usage uncommon for legitimate business communications
to use Usenet or NNTP services. The hosts
involved may be violating corporate policy.
Policy: Remote: VNC Policy Flow True Reports when VNC (a remote desktop access
Access from the Internet application) is communicating from the Internet to a
to a Local Host local host. Many companies consider this a policy
issue that should be addressed. If this is normal
activity on your network, disable this rule.
Policy: Upload to Local Policy Event False Reports potential file uploads to a local web server.
WebServer To edit the details of this rule, edit the
BB:CategoryDefinition: Upload to Local WebServer
BB.
Recon: Aggressive Recon Common True Reports an aggressive scan from a local source IP
Local Scanner Detected address, scanning other local or remote IP
addresses. More than 400 destination IP addresses
received reconnaissance or suspicious events in
less than 2 minutes. This may indicate a manually
driven scan, an exploited host searching for other
destination IP addresses, or a worm is present on
the system.

Rule Enabl
Recon: Aggressive Recon Common True Reports an aggressive scan from a remote source
Remote Scanner IP address, scanning other local or remote IP
Detected addresses. More than 50 destination IP addresses
received reconnaissance or suspicious events in
less than 3 minutes. This may indicate a manually
driven scan, an exploited host searching for other
destination IP addresses, or a worm on a system.
Recon: Excessive Recon Common True Reports excessive attempts, from local hosts, to
Firewall Denies From access the firewall and access is denied. More than
Local Hosts 40 attempts are detected across at least 40
destination IP addresses in 5 minutes.
Recon: Excessive Recon Common True Reports excessive attempts, from remote hosts, to
Firewall Denies From access the firewall and access is denied. More than
Remote Hosts 40 attempts are detected across at least 40
destination IP addresses in 5 minutes.
Recon: Host Port Scan Recon Common True Reports when more than 400 ports are scanned
Detected by Remote from a single source IP address in under 2 minutes.
Host
Recon: Increase Recon Event True If a high rate flow-based scanning attack is
Magnitude of High Rate detected, this rule increases the magnitude of the
Scans current event.
Recon: Increase Recon Event True If a medium rate flow-based scanning attack is
Magnitude of Medium detected, this rule increases the magnitude of the
Rate Scans current event.
Recon: Local LDAP Recon Common True Reports a source IP address attempting
Server Scanner reconnaissance or suspicious connections on
common LDAP ports to more than 60 hosts in 10
minutes.
Recon: Local Database Recon Common True Reports a scan from a local host against other local
Scanner or remote destination IP addresses. At least 30 host
were scanned in 10 minutes.
Recon: Local DHCP Recon Common True Reports a source IP address attempting
Scanner reconnaissance or suspicious connections on
common DHCP ports to more than 60 hosts in 10
minutes.
Recon: Local DNS Recon Common True Reports a source IP address attempting
common DNS ports to more than 60 hosts in 10
minutes.
Recon: Local FTP Recon Common True Reports a source IP address attempting
common FTP ports to more than 30 hosts in 10
minutes.

Default Rules 227
Rule Enabl
Recon: Local Game Recon Common True Reports a source IP address attempting
common game server ports to more than 60 hosts
in 10 minutes.
Recon: Local ICMP Recon Common True Reports a source IP address attempting
common ICMP ports to more than 60 hosts in 10
minutes.
Recon: Local IM Server Recon Common True Reports a source IP address attempting
common IM server ports to more than 60 hosts in
10 minutes.
Recon: Local IRC Recon Common True Reports a source IP address attempting
common IRC server ports to more than 10 hosts in
10 minutes.
Recon: Local Mail Recon Common True Reports a source IP address attempting
common mail server ports to more than 60 hosts in
10 minutes.
Recon: Local P2P Recon Common True Reports a source IP address attempting
common P2P server ports to more than 60 hosts in
10 minutes.
Recon: Local Proxy Recon Common True Reports a source IP address attempting
common proxy server ports to more than 60 hosts
in 10 minutes.
Recon: Local RPC Recon Common True Reports a source IP address attempting
common RPC server ports to more than 60 hosts in
10 minutes.
Recon: Local Scanner Recon Common True Reports a scan from a local host against other hosts
Detected or remote destination IP addresses. At least 60
hosts were scanned within 20 minutes. This activity
was using a protocol other than TCP, UDP, or
ICMP.
Recon: Local SNMP Recon Common True Reports a source IP address attempting
common SNMP ports to more than 60 hosts in 10
minutes.
Recon: Local SSH Recon Common True Reports a source IP address attempting
common SSH ports to more than 30 hosts in 10
minutes.

Rule Enabl
Recon: Local Recon Common False Reports when various suspicious or
Suspicious Probe reconnaissance events have been detected from
Events Detected the same local source IP address to more than five
destination IP address in 4 minutes. This can
indicate various forms of host probing, such as
Nmap reconnaissance, which attempts to identify
the services and operation systems of the host.
Recon: Local TCP Recon Common True Reports a source IP address attempting
common TCP ports to more than 60 hosts in 10
minutes.
Recon: Local UDP Recon Common True Reports a source IP address attempting
common UDP ports to more than 60 hosts in 10
minutes.
Recon: Local Web Recon Common True Reports a source IP address attempting
common local web server ports to more than 60
hosts in 10 minutes.
Recon: Local Windows Recon Common True Reports a source IP address attempting
Server Scanner to reconnaissance or suspicious connections on
Internet common Windows server ports to more than 60
Recon: Local Windows Recon Common True Reports a source IP address attempting
common Windows server ports to more than 200
Recon: Potential Local Recon Common True Reports on potential local port scans.
Port Scan Detected
Recon: Potential P2P Recon Common True Reports on potential P2P traffic.
Traffic Detected
Recon: Recon Followed Recon Common False Reports when a host that has been performing
by Accept reconnaissance also has a firewall accept following
the reconnaissance activity.
Recon: Remote Recon Common True Reports a scan from a remote host against other
Database Scanner local or remote destination IP addresses. At least
30 hosts were scanned in 10 minutes.
Recon: Remote DHCP Recon Common True Reports a remote host attempting reconnaissance
Scanner or suspicious connections on common DHCP ports
to more than 30 hosts in 10 minutes.
Recon: Remote DNS Recon Common True Reports a source IP address attempting
common DNS ports to more than 60 hosts in 10
minutes.

Default Rules 229
Rule Enabl
Recon: Remote FTP Recon Common True Reports a remote host attempting reconnaissance
Scanner or suspicious connections on common FTP ports to
more than 30 hosts in 10 minutes.
Recon: Remote Game Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common game server
ports to more than 30 hosts in 10 minutes.
Recon: Remote ICMP Recon Common True Reports a remote host attempting reconnaissance
Scanner or suspicious connections on common ICMP ports
to more than 60 hosts in 10 minutes.
Recon: Remote IM Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common IM server
Recon: Remote IRC Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common IRC server
Recon: Remote LDAP Recon Common True Reports a scan from a remote host against other
Server Scanner local or remote destination IP addresses. At least
30 hosts were scanned in 10 minutes.
Recon: Remote Mail Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common mail server
Recon: Remote Proxy Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common proxy server
Recon: Remote RPC Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common RPC server
Recon: Remote Recon Common True Reports a scan from a remote host against other
Scanner Detected hosts or remote destination IP addresses. At least
60 hosts were scanned within 20 minutes. This
activity was using a protocol other than TCP, UDP,
or ICMP.
Recon: Remote SNMP Recon Common True Reports a remote host scans at least 30 local or
Scanner remote hosts in 10 minutes.
Recon: Remote SSH Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common SSH ports to
Recon: Remote Recon Common False Reports various suspicious or reconnaissance
Suspicious Probe events from the same remote source IP address to
Events Detected more then five destination IP addresses in 4
minutes. This may indicate various forms of host
probing, such as Nmap reconnaissance that
attempts to identify the services and operating
system of the destination IP addresses.

Rule Enabl
Recon: Remote TCP Recon Common False Reports a remote host attempting reconnaissance
Scanner or suspicious connections on common TCP ports to
Recon: Remote UDP Recon Common True Reports a remote host attempting reconnaissance
Scanner or suspicious connections on common UDP ports to
Recon: Remote Web Recon Common True Reports a remote host attempting reconnaissance
Server Scanner or suspicious connections on common local web
server ports to more than 60 hosts in 10 minutes.
Recon: Remote Recon Common True Reports a remote host attempting reconnaissance
Windows Server or suspicious connections on common Windows
Scanner server ports to more than 60 hosts in 10 minutes.
Recon: Single Merged Recon Common True Reports merged reconnaissance events generated
Recon Events Local by local scanners. This rule causes all these events
Scanner to create an offense. All devices of this type and
their event categories should be added to the
BB:ReconDetected: Devices which Merge Recon
into Single Events BB.
Recon: Single Merged Recon Common True Reports merged reconnaissance events generated
Recon Events Remote by remote scanners. This rule causes all these
Scanner events to create an offense. All devices of this type
and their event categories should be added to the
BB:ReconDetected: Devices which Merge Recon
into Single Events BB.
Default-Response- Response Offense False Reports any offense matching the severity,
E-mail: Offense E-mail credibility, and relevance minimums to e-mail. You
Sender must configure the e-mail address. You can limit the
number of e-mails sent by tuning the severity,
credibility, and relevance limits. This rule only sends
one e-mail every hour, per offense.
Default-Response- Response Offense False Reports any offense matching the severity,
Syslog: Offense credibility, or relevance minimum to syslog.
SYSLOG Sender
SuspiciousActivity: Suspicious Common False Rule identifies events that have common internal
Common Non-Local to only ports, communicating outside of the local
Remote Ports network.
SuspiciousActivity: Suspicious Common False Reports events associated with known hostile
Communication with networks.
Known Hostile Networks
SuspiciousActivity: Suspicious Common False Reports events associated with networks identified
Communication with as web sites that may involve data loss.
Known Online Services
SuspiciousActivity: Suspicious Common False Reports events associated with networks you want
Communication with to monitor.
Known Watched
Networks

Default Rules 231
Rule Enabl
SuspiciousActivity: Suspicious Event False Reports when discovered assets appear to be
Consumer Grade consumer grade equipment. Before enabling this
Equipment rule, you must configure the BB:DeviceDefinition:
Consumer Grade Routers and BB:DeviceDefinition:
Consumer Grade Wireless APs BBs.
System: 100% Accurate System Event True Creates an offense when an event matches a 100%
Events accurate signature for successful compromises.
System:Critical System System Event False Reports when QRadar detects critical event.
Events
System: Device System Event False Reports when a log source has not sent an event to
Stopped Sending the system in over 1 hour. Edit this rule to add
Events devices you want to monitor.
System: Device System Event True Reports when a firewall, IPS, VPN or switch log
Stopped Sending source has not sent an event in over 30 minutes
Events (Firewall, IPS,
VPN or Switch)
System: Flow Source System Flow True Reports when a flow interface stops generating
Stopped Sending Flows flows for over 30 minutes.
System: Host Based System Event False Reports when QRadar detects events that indicate
Failures failures within services or hardware.
System: Load Building System Event True Loads BBs that need to be run to assist with
Blocks reporting. This rule has no actions or responses.
System: Multiple System Event False Reports when a source IP address has 10 system
System Errors errors within 3 minutes.
System:Notification System Event True Rule ensures that notification events shall be sent
to the notification framework.
System: Service System Event False Reports when a services has been stopped on a
Stopped and not system and not restarted.
Restarted
WormDetection: Local Worms Event True Reports a local host sending more than 20 SMTP
Mass Mailing Host flows in 1 minute. This may indicate a host being
Detected used as a spam relay or infected with a form of
mass mailing worm.
WormDetection: Worms Event True Reports a local host generating reconnaissance or
Possible Local Worm suspicious events across a large number of hosts
Detected (greater than 300) in 20 minutes. This may indicate
the presence of a worm on the network or a wide
spread scan.
WormDetection: Worms Event True Reports when a host is connecting to many hosts
Successful Connections on the Internet on ports commonly known for worm
to the Internet on propagation.
Common Worm Ports
WormDetection: Worm Worms Event True Reports exploits or worm activity on a system for
Detected (Events) local-to-local or local-to-remote traffic.

Default Building Default building blocks for the Enterprise template include:
Blocks
Table B-2 Default Building Blocks
Block Associated Building

Building Block Group Type Description Blocks, if applicable
BB: CategoryDefinition: Category Event Edit this BB to include event
Application or Service Definitions categories that are
Installed or Modified considered part of events
detected when an
application or service is
installed or modified on a
host.
BB: CategoryDefinition: Category Event Edit this BB to include event
Auditing Stopped Definitions categories that are
considered part of events
detected when auditing has
stopped on a host.
BB: CategoryDefinition: Category Flow Edit this BB to include
Communication with File Definitions applications that indicate
Sharing Sites communication with file
sharing sites.
BB: CategoryDefinition: Category Flow Edit this BB to include
Communication with Free Definitions applications that indicate
Email Sites communication with free
e-mail sites
BB: CategoryDefinition: Category Event Edit the BB to include all
Service Started Definition event categories that
indicate a service has
started.
BB: CategoryDefinition: Category Event Edit the BB to include all
Service Stopped Definition event categories that
indicate a service has
stopped.
BB: CategoryDefinition: Category Event Edit this BB to include
Superuser Accounts Definition usernames associated with
superuser accounts, such as
admin, superuser, and root.
BB: CategoryDefinition: Category Event Edit this BB is include event
System or Device Definition categories associated with
Configuration Change system or device
configuration changes.
BB: CategoryDefinition: Category Flow Edit this BB to include all BB: CategoryDefinition:
Unidirectional Flow Definition unidirectional flows. Unidirectional Flow DST
BB: CategoryDefinition:
Unidirectional Flow SRC

Table B-2 Default Building Blocks (continued)

BB: CategoryDefinition: Category Flow Edit this BB to define
Unidirectional Flow DST Definition unidirectional flow from the
source IP address to the
destination IP address.
BB: CategoryDefinition: Category Flow Edit this BB to define
Unidirectional Flow SRC Definition unidirectional flow from the
destination IP address to the
source IP address.
BB:BehaviorDefinition: Category Event Edit this BB to include event
Compromise Activities Definitions categories that are
considered part of events
detected during a typical
compromise.
BB:BehaviorDefinition: Category Event Edit this BB to include event
Post Compromise Definitions categories that are
Activities considered part of events
detected after a typical
compromise.
BB:CategoryDefinition: Category Event Edit this BB to include all
Access Denied Definition event categories that
indicate access denied.
BB:CategoryDefinition: Category Flow Edit this BB to include all
Any Flow Definition flow types.
BB:CategoryDefinition: Compliance Event Edit this BB to include all
Authentication Failures events that indicate an
unsuccessful attempt to
access the network.
Authentication Success events that indicate
successful attempts to
access the network.
Authentication to events that indicate failed
Disabled Account attempts to access the
network using a disabled
account.
Authentication to Expired events that indicate failed
Account attempts to access the
network using an expired
account.
Authentication User or events that indicate
Group Added or Changed modification to accounts or
groups.


BB:CategoryDefinition: Category Event Edit this BB to include any
Countries with no Remote Definitions geographic location that
Access typically would not be
allowed remote access to the
enterprise. Once configured,
you can enable the Anomaly:
Remote Access from Foreign
Country rule.
Database Access Denied Definition events that indicates denied
access to the database.
Database Access Definition events that indicates
Permitted permitted access to the
database.
BB:CategoryDefinition: Category Event Edit this BB to define
Database Connections Definitions successful logins to
databases. You may need to
add additional device types
for this BB.
DDoS Attack Events Definitions event categories that you
want to categorize as a
DDoS attack.
Exploits, Backdoors, and Definitions events that are typically
Trojans exploits, backdoor, or
trojans.
BB:CategoryDefinition: Compliance Event Edit this BB that indicate
Failure Service or failure within a service or
Hardware hardware.
Firewall or ACL Accept Definitions events that indicate access
to the firewall.
Firewall or ACL Denies Definitions events that indicate
unsuccessful attempts to
access the firewall.


Firewall System Errors Definitions events that may indicate a
firewall system error. By
default, this BB applies when
an event is detected by one
or more of the following
devices:
• Check Point
• Generic Firewall
• Iptables
• NetScreen Firewall
• Cisco Pix
BB:CategoryDefinition: Category Event Edit this BB to the severity,
High Magnitude Events Definitions credibility, and relevance
levels you want to generate
an event. The defaults are:
• Severity = 6
• Credibility = 7
• Relevance = 7
BB:CategoryDefinition: Category Flow Edit this BB to identify flows
Inverted Flows Definitions that may be inverted.
BB:CategoryDefinition: Category Flow This Building Block to BB:CategoryDefinition:
IRC Detected Based on Definitions include applications that are Successful Communication
Application typically associated with IRC
traffic.
BB:CategoryDefinition: Category Event This Building Block to
IRC Detected Based on Definitions include event categories that
Event Category are typically associated with
IRC traffic.
BB:CategoryDefinition: Category Event This Building Block to BB:CategoryDefinition:
IRC Detection Based on Definitions include event categories and Firewall or ACL Accept
Firewall Events port definitions that are
BB:PortDefinition: IRC Ports
typically associated with IRC
traffic.
KeyLoggers Definitions events associated with key
logger monitoring of user
activities.
BB:CategoryDefinition: Compliance Event Edit this BB to define mail
Mail Policy Violation policy violations.
BB:CategoryDefinition: Category Event Edit this BB to include event
Malware Annoyances Definitions categories that are typically
associated with spyware
infections.


Network DoS Attack Definitions event categories that you
want to categorize as a
network DoS attack.
Policy Events event categories that may
indicate a violation to
network policy.
BB:CategoryDefinition: Category Event Edit this BB to define actions
Post DMZ Jump Definitions that may be seen within a
Remote-to-Local (R2L) and a
DMZ host jumping scenario.
Post Exploit Account Definitions event categories that may
Activity indicate exploits to accounts.
Pre DMZ Jump Definitions that may be seen within a
Local-to-Local (L2L) and a
DMZ host jumping scenario.
Pre Reverse DMZ Jump Definitions that may be seen within a
Pre DMZ jump followed by a
reverse DMZ jump.
Recon Event Categories Definitions event categories that
indicate reconnaissance
activity.
BB:CategoryDefinition: Category Common Edit this BB to include all
Recon Events Definitions events that indicate
reconnaissance activity.
Recon Flows Definitions flows that indicate
BB:CategoryDefinition: Category Common Edit this BB to define actions
Reverse DMZ Jump Definitions that may be seen within a
Remote-to-Local (R2L) and a
DMZ host reverse jumping
scenario.
BB:CategoryDefinition: Category Event Edit this BB to define Denial
Service DoS Definitions of Service (DoS) attack
events.
BB:CategoryDefinition: Category Event Edit this BB to define all
Session Closed Definition session closed events.
BB:CategoryDefinition: Category Event Edit this BB to define all
Session Opened Definition session opened events.


Successful Definitions flows that are typical of a
Communication successful communication.
Tuning this BB to reduce the
byte/packet ratio to 64 can
cause excessive false
positives. Further tuning
using additional tests may be
required.
Suspicious Event Definitions event categories that
Categories indicate suspicious activity.
BB:CategoryDefinition: Category Common Edit this BB to include all
Suspicious Events Definitions events that indicate
suspicious activity.
Suspicious Flows Definitions flows that indicate suspicious
activity.
BB:CategoryDefinition: Category Event Edits this BB to define
System Configuration Definitions system configuration events.
BB:CategoryDefinition: Category Event Edit this BB to define system
System Errors and Definitions errors and failures.
Failures
BB:CategoryDefinition: Category Event Typically, most networks are
Upload to Local Definitions configured to restrict
WebServer applications that use the
PUT method running on their
web application servers. This
BB detects if a remote host
has used this method on a
local server. The BB could
be duplicated to also detect
other unwanted methods or
for local hosts using the
method connecting to remote
servers. This BB is
referenced by the Policy:
Upload to Local WebServer
rule.
BB:CategoryDefinition: Category Event Edit this BB to define all virus
Virus Detected Definition detection events.
VoIP Authentication Definitions events that indicate a VoIP
Failure Events login failure.


VoIP Session Opened Definitions events that indicate the start
of a VoIP session.
VPN Access Accepted Definition events that indicates
permitted access.
VPN Access Denied Definition events that are considered
Denied Access events.
Windows Compliance event categories that
Events indicate compliance events.
Windows SOX event categories that
Compliance Events indicate SOX compliance
events.
BB:CategoryDefinition: Category Event Edit this BB to define worm
Worm Events Definitions events. This BB only applies
to events not detected by a
custom rule.
BB:ComplianceDefinition: Compliance Common Edit this BB to include your
GLBA Servers GLBA IP systems. You must
then apply this BB to rules
related to failed logins such
as remote access.
HIPAA Servers HIPAA Servers by IP
address. You must then
apply this BB to rules related
to failed logins such as
remote access.
BB:ComplianceDefinition: Response Common Edit this BB to include your
PCI DSS Servers PCI DSS servers by IP
address. You must apply this
BB to rules related to failed
logins such as remote
access.
SOX Servers SOX IP Servers. You must
then apply this BB to rules
related to failed logins such
as remote access.
BB:Database: System Compliance Event Edit this BB to include any
Action Allow events that indicates
successful actions within a
database.


BB:Database: System Compliance Event Edit this BB to include any
Action Deny events that indicate
unsuccessful actions within a
database.
BB:Database: User Compliance Event Edit this BB to include events
Addition or Change that indicate the successful
addition or change of user
privileges
BB:DeviceDefinition: Log Source Event Edit this BB to include all
Access/Authentication/ Definitions access, authentication, and
Audit audit devices.
AntiVirus Definitions antivirus services on the
system.
Application Definitions application and OS devices
on the network.
BB:DeviceDefinition: Log Source Common Edit this BB to include MAC
Consumer Grade Routers Definitions addresses of known
consumer grade routers.
BB:DeviceDefinition: Log Source Common Edit this BB to include MAC
Consumer Grade Definitions addresses of known
Wireless APs consumer grade wireless
access points.
BB:DeviceDefinition: Log Source Event Edit this BB to define all
Database Definitions databases on the system.
BB:DeviceDefinition: Log Source Event Edit this BB to include
Devices to Monitor for Definitions devices you want to monitor
High Event Rates for high event rates. The
event rate threshold is
controlled by the Anomaly:
Devices with High Event
Rates.
FW/Router/ Definitions firewall (FW), routers, and
Switch switches on the network.
BB:DeviceDefinition: Log Source Event Edit this BB to include all IDS
IDS/IPS Definitions and IPS devices on the
network.
BB:DeviceDefinition:VPN Log Source Event Edit this BB to include all
Definition VPNs on the network.


BB:DoS: Local: D/DoS Flow Edit this BB to detect a high
Distributed DoS Attack number of hosts (greater
(High Number of Hosts) than 100,000) sending
identical, non-responsive
packets to a single
BB:DoS: Local: D/DoS Flow Edit this BB to detect a low
(Low Number of Hosts) than 500) sending identical,
non-responsive packets to a
single destination IP
address.
BB:DoS: Local: D/DoS Flow Edit this BB to detect a
Distributed DoS Attack medium number of hosts
(Medium Number of (greater than 5,000) sending
Hosts) identical, non-responsive
packets to a single
BB:DoS: Local: Flood D/DoS Flow Edit this BB to detect flood
Attack (High)) attacks above 100,000
packets per second. This
activity may indicate an
attack.
Attack (Low) attacks above 500 packets
per second. This activity may
indicate an attack.
Attack (Medium)) attacks above 5,000 packets
indicate an attack.
BB:DoS: Local: Potential D/DoS Flow Edit this BB to detect flows
ICMP DoS that appear to be an ICMP
DoS attack attempt.
TCP DoS that appear to be an TCP
DoS attack attempt.
UDP DoS that appear to be an UDP
DoS attack attempt.


BB:DoS: Local: Potential D/DoS Flow Edit this BB to detect a low
Unresponsive Server or number of hosts sending
Distributed DoS identical, non-responsive
packets to a single
destination. In this case, the
destination is treated as the
source in the Offenses
interface.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a high
(High Number of Hosts) than 100,000) sending
identical, non-responsive
packets to a single
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a low
(Low Number of Hosts) than 500) sending identical,
non-responsive packets to a
single destination IP
address.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a
Distributed DoS Attack medium number of hosts
(Medium Number of (greater than 5,000) sending
Hosts) identical, non-responsive
packets to a single
BB:DoS: Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (High) attacks above 100,000
packets per second. This
activity may indicate an
attack.
BB:DoS: Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (Low) attacks above 500 packets
indicate an attack.
BB:DoS:Remote: Flood D/DoS Flow Edit this BB to detect flood
Attack (Medium) attacks above 5,000 packets
indicate an attack.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect flows
Potential ICMP DoS that appear to be an ICMP
DoS attack attempt.
Potential TCP DoS that appear to be an TCP
DoS attack attempt.


Potential UDP DoS that appear to be an UDP
DoS attack attempt.
BB:DoS: Remote: D/DoS Flow Edit this BB to detect a low
Potential Unresponsive number of hosts sending
Server or Distributed DoS identical, non-responsive
packets to a single
destination. In this case, the
destination is treated as the
source in the Offenses
interface.
BB:FalseNegative: False Event Edit this BB to include events
Events That Indicate Positive that indicate a successful
Successful Compromise compromise. These events
generally have 100%
accuracy.
BB:FalsePositive: All False Common Edit this BB to include all All BB:False
Default False Positive Positive false positive BBs. Positive BBs
BBs
BB:FalsePositive: False Common Edit this BB to define all the
Broadcast Address False Positive false positive categories that
Positive Categories occur to or from the
broadcast address space.
BB:FalsePositive: False Common Edit this BB to define all the BB:HostDefinition: Database
Database Server False Positive false positive categories that Servers
Positive Categories occur to or from database
servers that are defined in
the BB:HostDefinition:
Database Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Database
Database Server False Positive false positive QIDs that Servers
Positive Events occur to or from database
Database Servers BB.
BB:FalsePositive: Device False Event Edit this BB to include the
and Specific Event Positive devices and QID of devices
that continually generate
false positives.
BB:FalsePositive: DHCP False Common Edit this BB to define all the BB:HostDefinition: DHCP
Server False Positive Positive false positive categories that Servers
Categories occur to or from DHCP
the BB:HostDefinition: DHCP
Servers BB.


BB:FalsePositive: DHCP False Event Edit this BB to define all the BB:HostDefinition: DHCP
Server False Positive Positive false positive QIDs that Servers
Events occur to or from DHCP
the BB:HostDefinition: DHCP
Servers BB.
BB:FalsePositive: DNS False Common Edit this BB to define all the BB:HostDefinition: DNS
Categories occur to or from DNS based
the BB:HostDefinition: DNS
Servers BB.
BB:FalsePositive: DNS False Event Edit this BB to define all the BB:HostDefinition: DNS
Events occur to or from DNS-based
the BB:HostDefinition: DNS
Servers BB.
BB:FalsePositive: False Event Edit this BB to define firewall
Firewall Deny False Positive deny events that are false
Positive Events positives
BB:FalsePositive: FTP False Event Edit this BB to define all the BB:HostDefinition: FTP
False Positive Events Positive false positive QIDs that Servers
occur to or from FTP-based
the BB:HostDefinition: FTP
Servers BB.
BB:FalsePositive: FTP False Common Edit this BB to define all the BB:HostDefinition: FTP
Categories occur to or from FTP based
the BB:HostDefinition: FTP
Servers BB.
BB:FalsePositive: Global False Event Edit this BB to include any
False Positive Events Positive event QIDs that you want to
ignore.
BB:FalsePositive: Large False Event Edit this BB to define specific
Volume Local FW Events Positive events that can create a
large volume of false
positives in general rules.
BB:FalsePositive: LDAP False Common Edit this BB to define all the BB:HostDefinition: LDAP
Categories occur to or from LDAP
the BB:HostDefinition: LDAP
Servers BB.


BB:FalsePositive: LDAP False Event Edit this BB to define all the BB:HostDefinition: LDAP
Events occur to or from LDAP
the BB:HostDefinition: LDAP
Servers BB.
BB:FalsePositive: Local False Event Edit this BB to define all the
Source to Local Positive false positive QIDs that
Destination False occur to or from
Positives Local-to-Local (L2L) based
servers.
BB:FalsePositive: Local False Event Edit this BB to define all the
Source to Remote Positive false positive QIDs that
Positives Local-to-Remote (L2R)
based servers.
BB:FalsePositive: Mail False Common Edit this BB to define all the BB:HostDefinition: Mail
Categories occur to or from mail servers
that are defined in the
BB:HostDefinition: Mail
Servers BB.
BB:FalsePositive: Mail False Event Edit this BB to define all the BB:HostDefinition: Mail
Events occur to or from mail servers
BB:HostDefinition: Mail
Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Network
Network Management Positive false positive categories that Management Servers
Servers Recon occur to or from network
management servers that
are defined in the
BB:HostDefinition: Network
Management Servers BB.
BB:FalsePositive: Proxy False Common Edit this BB to define all the BB:HostDefinition: Proxy
Categories occur to or from proxy
the BB:HostDefinition: Proxy
Servers BB.
BB:FalsePositive: Proxy False Event Edit this BB to define all the BB:HostDefinition: Proxy
Events occur to or from proxy
the BB:HostDefinition: Proxy
Servers BB.


BB:FalsePositive: False Event Edit this BB to define all the
Remote Source to Local Positive false positive QIDs that
Positives Remote-to-Local (R2L)
based servers.
BB:FalsePositive: RPC False Common Edit this BB to define all the BB:HostDefinition: RPC
Categories occur to or from RPC servers
BB:HostDefinition: RPC
Servers BB.
BB:FalsePositive: RPC False Event Edit this BB to define all the BB:HostDefinition: RPC
Events occur to or from RPC servers
BB:HostDefinition: RPC
Servers BB.
BB:FalsePositive: SNMP False Common Edit this BB to define all the BB:HostDefinition: SNMP
Sender or Receiver False Positive false positive categories that Servers
Positive Categories occur to or from SNMP
SNMP Servers BB.
BB:FalsePositive: SNMP False Event Edit this BB to define all the BB:HostDefinition: SNMP
Sender or Receiver False Positive false positive QIDs that Sender or Receiver
Positive Events occur to or from SNMP
SNMP Sender or Receiver
BB.
BB:FalsePositive: Source False Event Edit this BB to include source
IP and Specific Event Positive IP addresses or specific
events that you want to
remove.
BB:FalsePositive: SSH False Common Edit this BB to define all the BB:HostDefinition: SSH
Categories occur to or from SSH servers
BB:HostDefinition: SSH
Servers BB.
BB:FalsePositive: SSH False Event Edit this BB to define all the BB:HostDefinition: SSH
Events occur to or from SSH servers
BB:HostDefinition: SSH
Servers BB.


BB:FalsePositive: Syslog False Common Edit this BB to define all false BB:HostDefinition: Syslog
Sender False Positive Positive positive categories that occur Servers and Senders
Categories to or from syslog sources.
BB:FalsePositive: Syslog False Event Edit this BB to define all false BB:HostDefinitionBB:HostDef
Sender False Positive Positive positive events that occur to inition: Syslog Servers and
Events or from syslog sources or Senders
destinations.
BB:FalsePositive: Virus False Common Edit this BB to define all the BB:HostDefinition: Virus
Definition Update Positive false positive QIDs that Definition and Other Update
Categories occur to or from virus Servers
definition or other automatic
update hosts that are defined
in the BB:HostDefinition:
Virus Definition and Other
Update Servers BB.
BB:FalsePositive: Web False Common Edit this BB to define all the BB:HostDefinition: Web
Categories occur to or from web servers
BB:HostDefinition: Web
Servers BB.
BB:FalsePositive: Web False Event Edit this BB to define all the BB:HostDefinition: Web
Events occur to or from Web servers
BB:HostDefinition: Web
Servers BB.
BB:FalsePositive: False Event Edit this BB to add
Windows AD Source Positive addresses of Windows
Authentication Events Authentication/
Active Directory (AD)
servers. This BB prevents
the AD servers from being
the source of authentication
messages.
BB:FalsePositive: False Common Edit this BB to define all the BB:HostDefinition: Windows
Windows Server False Positive false positive categories that Servers
Positive Categories Local occur to or from Windows
Windows Servers BB.
BB:FalsePositive: False Event Edit this BB to define all the BB:HostDefinition: Windows
Windows Server False Positive false positive QIDs that Servers
Positive Events occur to or from Windows
Windows Servers BB.


BB:Flowshape: Balanced Flowshape Flow This BB detects flows that
have a balanced flow bias.
BB:Flowshape: Inbound Flowshape Flow This BB detects flows that
Only have an inbound only flow
bias.
BB:Flowshape: Local Flowshape Flow This BB detects local flows
Balanced that have a balanced flow
bias.
BB:Flowshape: Local Flowshape Flow This BB detects
Unidirectional unidirectional flows within the
local network.
BB:Flowshape: Mostly Flowshape Flow This BB detects flows that
Inbound have a mostly inbound flow
bias.
BB:Flowshape: Mostly Flowshape Flow This BB detects flows that
Outbound have a mostly outbound flow
bias.
BB:Flowshape: Outbound Flowshape Flow This BB detects flows that
Only have an outbound only flow
bias.
BB:HostBased: Critical Compliance Event Edit this BB to define event
Events categories that indicate
critical events.
BB:HostDefinition: Host Common Edit this BB to include any
Consultant Assets Definitions consultant assets, which
includes any asset
connected to your network
that is supplied or owned by
a consultant and not
considered to be your
enterprise’s asset.
BB:HostDefinition: Host Common Edit this BB to define typical BB:FalsePositive: Database
Database Servers Definitions database servers. Server False Positive
Categories
BB:FalsePositive: Database
Server False Positive Events
BB:HostDefinition: DHCP Host Common Edit this BB to define typical BB:False Positive: DHCP
Servers Definitions DHCP servers. Server False Positives
Categories
BB:FalsePositive: DHCP
BB:HostDefinition: DMZ Host Common Edit this BB to include any
Assets Definitions DMZ assets.


BB:HostDefinition: DNS Host Common Edit this BB to define typical BB:False Positive: DNS
Servers Definitions DNS servers. Server False Positives
Categories
BB:FalsePositive: DNS
BB:HostDefinition: FTP Host Common Edit this BB to define typical BB:False Positive: FTP
Servers Definitions FTP servers. Server False Positives
Categories
BB:FalsePositive: FTP
BB:HostDefinition: Host Host Common Edit this BB to include a host
with Port Open Definitions and port that is actively or
passively seen.
BB:HostDefinition: LDAP Host Common Edit this BB to define typical BB:False Positive: LDAP
Servers Definitions LDAP servers. Server False Positives
Categories
BB:FalsePositive: LDAP
BB:HostDefinition: Local Host Common Edit this BB to include any
Assets Definitions local assets.
BB:HostDefinition: Mail Host Common Edit this BB to define typical BB:False Positive: Mail
Servers Definitions mail servers. Server False Positives
Categories
BB:FalsePositive: Mail
MailServer Assets Definitions mail server assets.
BB:HostDefinition: Host Common Edit this BB to define typical
Network Management Definitions network management
Servers servers.
Protected Assets Definitions protected assets.
BB:HostDefinition: Proxy Host Common Edit this BB to define typical BB:False Positive: Proxy
Servers Definitions proxy servers. Server False Positives
Categories
BB:FalsePositive: Proxy
Regulatory Assets Definitions regulatory assets.
Remote Assets Definitions remote assets.


BB:HostDefinition: RPC Host Common Edit this BB to define typical BB:False Positive: RPC
Servers Definitions RPC servers. Server False Positives
Categories
BB:FalsePositive: RPC
BB:HostDefinition: Host Event Edit this BB to define generic
Servers Definitions servers.
BB:HostDefinition: SNMP Host Common Edit this BB to define SNMP BB:PortDefinition: SNMP
Sender or Receiver Definitions senders or receivers. Ports
BB:HostDefinition: SSH Host Common Edit this BB to define typical BB:False Positive: SSH
Servers Definitions SSH servers. Server False Positives
Categories
BB:FalsePositive: SSH
BB:HostDefinition: Syslog Host Common Edit this BB to define typical BB:FalsePositive: Syslog
Servers and Senders Definitions host that send or receive Server False Positive
syslog traffic. Categories
BB:FalsePositive: Syslog
BB:HostDefinition: VA Host Common Edit this BB to include the
Scanner Source IP Definitions source IP address of your VA
scanner. By default, this BB
applies when the source IP
address is 127.0.0.2.
BB:HostDefinition: Virus Host Common Edit this BB to include all
Definition and Other Definitions servers that include virus
Update Servers protection and update
functions.
BB:HostDefinition: VoIP Host Common Edit this BB to define typical
IP PBX Server Definitions VoIP IP PBX servers.
BB:HostDefinition: VPN Host Common Edit this BB to include any
Assets Definitions VPN assets.
BB:HostDefinition: Web Host Common Edit this BB to define typical BB:False Positive: Web
Servers Definitions web servers. Server False Positives
Categories
BB:FalsePositive: Web
BB:HostDefinition: Host Common Edit this BB to define typical BB:False Positive: Windows
Windows Servers Definitions Windows servers, such as Server False Positives
domain controllers or Categories
exchange servers.
BB:FalsePositive: Windows


BB:NetworkDefinition: Network Common Edit this BB to include the
Broadcast Address Space Definition broadcast address space of
your network. This is used to
remove false positive events
that may be caused by the
use of broadcast messages.
BB:NetworkDefinition: Network Common Edit this BB to include all
Client Networks Definition networks that include client
hosts.
BB:NetworkDefinition: Network Common Edit this BB to include
Darknet Addresses Definition networks that you want to
add to a Darket list.
DLP Addresses Definition networks that you want to
add to a Data Loss
Prevention (DLP) list.
DMZ Addresses Definition networks that you want to
add to a Demilitarized Zone
(DMZ) list.
BB:NetworkDefinition: Network Common Edit this BB by replacing
Honeypot like Addresses Definition other network with network
objects defined in your
network hierarchy that are
currently not in use in your
network or are used in a
honeypot or tarpit
installation. Once these have
been defined, you must
enable the Anomaly:
Potential Honeypot Access
rule. You must also add a
security/policy BB to these
network objects to generate
events based on attempted
access.
BB:NetworkDefinition: Network Common Edit this BB to include all
Inbound Communication Definition traffic from the Internet to
from Internet to Local you local networks.
Host
Multicast Address Space Definition networks that you want to
add to a multicast address
space list.


BB:NetworkDefinition: Network Common Edit this BB to define typical
NAT Address Range Definition Network Address Translation
(NAT) range you want to use
in your deployment.
BB:NetworkDefinition: Network Common Edit this BB to include the
Server Networks Definition networks where your servers
are located.
BB:NetworkDefinition: Network Common Edit this BB to include event
Trusted Network Definition categories that are trusted
Segment local networks.
BB:NetworkDefinition: Network Common Edit this BB to include areas
Undefined IP Space Definition of your network that does not
contain any valid hosts.
Untrusted Local Networks Definition untrusted local networks.
BB:NetworkDefinition: Network Common Edit this BB to include any BB:NetworkDefinition:
Untrusted Network Definition untrusted networks. Untrusted Local Network
Segment
BB:NetworkDefinition:
Inbound Communication from
Internet to Local Host
Watch List Addresses Definition networks that should be
added to a watch list.
BB:Policy Violation: Policy Flow Edit this BB to include
Application Policy applications that are
Violation: NNTP to commonly associated with
Internet NNTP traffic to the Internet
Application Policy applications that are
Violation: Unknown Local commonly associated with
Service potentially unknown local
services.
Compliance Policy applications that are
Violation: Clear Text commonly associated with
Application Usage unencrypted protocols like
telnet and FTP.
BB: Policy Violation: Policy Flow Edit this BB to include
Connection to Social applications that are
Networking Web Site commonly associated with
social networking web sites.


BB:Policy Violation: IRC Policy Flow Edit this BB to include
IM Policy Violation: IM applications that are
Communications commonly associated with
Instant Messaging
communications.
BB:Policy Violation: IRC PolicyRecon Flow Edit this BB to include
IM Policy Violation: IRC applications that are
Connection to Internet commonly associated with
IRC connections to a remote
host.
BB:Policy Violation: Large Policy Flow Edit this BB to include
Outbound Transfer applications that are
commonly associated with
significant transfer of data to
outside the local network.
This may indicate suspicious
activity.
BB:Policy Violation: Mail Policy Flow Edit this BB to include
Policy Violation: applications that are
Outbound Mail Sender commonly associated with a
local host sending mail to
remote hosts.
BB:Policy Violation: Mail Policy Flow Edit this BB to include
Policy Violation: Remote applications that are
Connection to Internal commonly associated with
Mail Server potential unauthorized
internal mail servers.
BB:Policy Violation: P2P Policy Flow Edit this BB to include
Policy Violation: Local applications that are
P2P Client commonly associated with
local P2P clients. This BB
detects flows coming from a
local PSP server.
BB:Policy Violation: P2P Policy Flow Edit this BB to include
Policy Violation: Local applications that are
P2P Server commonly associated with
local P2P clients. This BB
detects flows coming from a
local P2P client.
Remote Access Policy applications that are
Violation: Remote Access commonly associated with
Shell remote access. This BB
detects a remote access
attempt from a remote host.


BB:Policy: Application Policy Event Edit this BB to define policy
Policy Violation Events application and violation
events.
BB:Policy: IRC/IM Policy Event Edit this BB to define all
Connection Violations policy IRC/IM connection
violations.
BB:Policy: Policy P2P Policy Event Edit this BB to include all
events that indicate P2P
events.
BB:PortDefinition: Port\ Common Edit this BB to include ports
Authorized L2R Ports Protocol that are commonly detected
Definition in Local-to-Remote (L2R)
traffic.
BB:PortDefinition: Port\ Common Edit this BB to include all
Common Worm Ports Protocol ports that are generally not
Definition seen in L2R traffic.
Database Ports Protocol common database ports.
Definition
BB:PortDefinition: DHCP Port\ Common Edit this BB to include all
Ports Protocol common DHCP ports.
Definition
BB:PortDefinition: DNS Port\ Common Edit this BB to include all
Ports Protocol common DNS ports.
Definition
BB:PortDefinition: FTP Port\ Common Edit this BB to include all
Ports Protocol common FTP ports.
Definition
BB:PortDefinition: Game Port\ Common Edit this BB to include all
Server Ports Protocol common game server ports.
Definition
BB:PortDefinition: IM Compliance Common Edit this BB to include all
Ports common IM ports.
BB:PortDefinition: IRC Port\ Common Edit this BB to include all
Ports Protocol common IRC ports.
Definition
BB:PortDefinition: LDAP Port\ Common Edit this BB to include all
Ports Protocol common ports used by
Definition LDAP servers.
BB:PortDefinition: Mail Port\ Common Edit this BB to include all
Ports Protocol common ports used by mail
Definition servers.


BB:PortDefinition: P2P Port\ Common Edit this BB to include all
Ports Protocol common ports used by P2P
Definition servers.
BB:PortDefinition: Proxy Port\ Common Edit this BB to include all
Ports Protocol common ports used by proxy
Definition servers.
BB:PortDefinition: RPC Port\ Common Edit this BB to include all
Ports Protocol common ports used by RPC
Definition servers.
BB:PortDefinition: SNMP Port\ Common Edit this BB to include all
Ports Protocol common ports used by
Definition SNMP servers.
BB:PortDefinition: SSH Port\ Common Edit this BB to include all
Ports Protocol common ports used by SSH
Definition servers.
BB:PortDefinition: Syslog Port\ Common Edit this BB to include all
Ports Protocol common ports used by the
Definition syslog servers.
BB:PortDefinition: Web Port\ Common Edit this BB to include all
Ports Protocol common ports used by Web
Definition servers.
Windows Ports Protocol common ports used by
Definition Windows servers.
BB:ProtocolDefinition: Port\ Common Edit this BB to include all
Windows Protocols Protocol common protocols (not
Definition including TCP) used by
Windows servers that will be
ignored for false positive
tuning rules.
BB:Recon: Local: ICMP Recon Flow Edit this BB to identify BB:Threats: Scanning: ICMP
Scan (High) applications and protocols Scan High
ICMP traffic. This BB detects
when a host is scanning
more than 100,000 hosts per
minute using ICMP. This
activity indicates a host
performing reconnaissance
activity at an extremely high
rate. This is typical of a worm
infection or a standard
scanning application.


Scan (Low) applications and protocols Scan Low
a host scanning more than
500 hosts per minute using
ICMP. This may indicate a
host configured for network
management or normal
server behavior on a busy
internal network. If this
behavior continues for
extended periods of time,
this may indicate classic
behavior of worm activity.
Scan (Medium) applications and protocols Scan Medium
a host scanning more than
5,000 hosts per minute using
ICMP. This indicates a host
infection or a host configured
for network management
purposes.
BB:Recon: Local: Recon Flow This BB detects a host BB:Threats: Scanning: Empty
Scanning Activity (High) performing reconnaissance Responsive Flows High
rate (more than 100,000
hosts per minute), which is
typical of a worm infection of
a scanning application.
Scanning Activity (Low) scanning more than 500 Responsive Flows Low
hosts per minute. This
indicates a host performing
reconnaissance activity at a
high rate. This is typical of a
worm infection or a host
configured for network
management purposes.


Scanning Activity scanning more than 5,000 Responsive Flows Medium
(Medium) hosts per minute. This
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: ICMP
ICMP Scan (High) scanning more than 100,000 Scan High
hosts per minute using
infection or a standard
scanning application.
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: ICMP
ICMP Scan (Low) scanning more than 500 Scan Low
ICMP. This may indicate a
host configured for network
management or normal
server behavior on a busy
internal network. If this
behavior continues for
extended periods of time,
this may indicate classic
behavior of worm activity.
We recommend that you
check the host of infection or
malware installation.
BB:Recon: Remote: Recon Flow This BB detects a host B:Threats: Scanning: ICMP
ICMP Scan (Medium) scanning more than 5,000 Scan Medium
infection or a host configured
for network management
purposes.


BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning:
Potential Network Scan sending identical packets to Potential Scan
a number of hosts that are
not responding. This may
indicate a host configured for
network management or
normal server behavior on a
busy internal network.
However, client hosts in your
network should not be
exhibiting this behavior for
long periods of time.
BB:Recon: Remote: Recon Flow This BB detects a host BB:Threats: Scanning: Empty
Scanning Activity (High) performing reconnaissance Responsive Flows High
rate (more than 100,000
hosts per minute), which is
typical of a worm infection of
a scanning application.
Scanning Activity (Low) scanning more than 500 Responsive Flows Low
hosts per minute. This
Scanning Activity scanning more than 5,000 Responsive Flows Medium
(Medium) hosts per minute. This
BB:Recon Recon Event Edit this BB to define all Q1
Detected: All Recon Labs default reconnaissance
Rules tests. This BB is used to
detect a host that has
performed reconnaissance
such that other follow on
tests can be performed. For
example, reconnaissance
followed by firewall accept.


BB:Recon Recon Event Edit this BB to include all
Detected: Devices That devices that accumulate
Merge Recon into Single reconnaissance across
Events multiple hosts or ports into a
single event. This rule forces
these events to become
offenses.
BB:Recon Recon Event Edit this BB to define
Detected: Host Port Scan reconnaissance scans on
hosts in your deployment.
BB:Recon Recon Event Edit this BB to indicate port
Detected: Port Scan scanning activity across
Detected Across Multiple multiple hosts. By default,
Hosts this BB applies when a
source IP address is
against more than five hosts
within 10 minutes. If internal,
this may indicate an
exploited machine or a worm
scanning for destination IP
addresses.
BB:Suspicious: Local: Suspicious Flow This BB detects an BB:Threats: Suspicious IP
Anomalous ICMP Flows excessive number of ICMP Protocol Usage: Suspicious
flows from one source IP ICMP Type Code
address, where the applied
ICMP types and codes are
considered abnormal when
seen entering or leaving the
network.
Inbound Unidirectional excessive rate (more than Protocol
Flows Threshold 1,000) of unidirectional flows Usage:Unidirectional UDP
within the last 5 minutes. and Misc Flows
This may indicate a scan is
BB:Threats: Suspicious IP
in progress, worms, DoS
Protocol
attack, or issues with your
Usage:Unidirectional TCP
network configuration.
Flows
Protocol Usage:
Unidirectional ICMP Flows


BB:Suspicious: Local: Suspicious Flow This BB detects flows that BB:Threats: Suspicious IP
Invalid TCP Flag Usage appear to have improper flag Protocol Usage: Illegal TCP
combinations. This may Flag Combination
indicate various behaviors,
such as OS detection, DoS
attacks, or even forms of
reconnaissance.
Outbound Unidirectional excessive rate of outbound Protocol
Flows Threshold unidirectional flows (remote Usage:Unidirectional UDP
host not responding) within 5 and Misc Flows
minutes.
Protocol
Flows
B:Threats: Suspicious IP
Protocol Usage:
BB:Suspicious: Local: Suspicious Flow This BB detects flows with BB:Threats: Suspicious IP
Port 0 Flows Detected Port 0 as the destination or Protocol Usage: TCP or UDP
source port. This may be Port 0
considered suspicious.
Rejected Communication indicate a host is attempting Protocol Usage: Zero
Attempts to establish connections to Payload Bidirectional Flows
other hosts and is being
refused by the hosts.
BB:Suspicious: Local: Suspicious Flow This BB detects suspicious BB:Threats: Suspicious
Suspicious IRC Traffic IRC traffic. Activity: Suspicious IRC Ports
BB:Threats: Suspicious
Activity: Suspicious IRC
Traffic
BB:Suspicious: Local: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP traffic Protocol Usage:
Detected from a single source. This Unidirectional ICMP Flows
may indicate an attempt to
enumerate hosts on the
network or other serious
network issues.
BB:Suspicious: Local: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP Protocol Usage:
Responses Detected responses from a single Unidirectional ICMP Replies
source. This may indicate an
attempt to enumerate hosts
on the network or other
serious network issues.


Unidirectional TCP Flows indicate a host is sending an Protocol
excessive quantity (at least Usage:Unidirectional TCP
15) of unidirectional flows. Flows
These types of flows may be
considered normal, however,
client workstations and other
devices, should not be seen
emitting large quantities of
such flows. This activity
should be considered
suspicious.
Unidirectional UDP or excessive number of Protocol
Misc Flows unidirectional UDP and Usage:Unidirectional TCP
miscellaneous flows from a Flows
single source.
BB:Suspicious: Remote: Suspicious Flow This BB detects an BB:Threats: Suspicious IP
Anomalous ICMP Flows excessive number of ICMP Protocol Usage: Suspicious
flows from one source IP ICMP Type Code
address and the applied
ICMP types and codes are
considered abnormal when
seen entering or leaving the
network.
Inbound Unidirectional excessive rate (more than Protocol
Flows Threshold 1,000) of unidirectional flows Usage:Unidirectional UDP
within the last 5 minutes. and Misc Flows
This may indicate a scan is
in progress, worms, DoS Protocol
attack, or issues with your
network configuration.
Flows
Protocol Usage:
BB:Suspicious: Remote: Suspicious Flow This BB detects flows that BB:Threats: Suspicious IP
Invalid TCP Flag Usage appear to have improper flag Protocol Usage: Illegal TCP
combinations. This may Flag Combination
indicate various troubling
behaviors, such as OS
detection, DoS attacks, or
reconnaissance.


Outbound Unidirectional excessive rate of outbound Protocol
Flows Threshold unidirectional flows (remote Usage:Unidirectional UDP
host not responding) within 5 and Misc Flows
minutes.
Protocol
Flows
Protocol Usage:
BB:Suspicious: Remote: Suspicious Flow This BB detects flows with BB:Threats: Suspicious IP
Port 0 Flows Detected Port 0 as the destination or Protocol Usage: TCP or UDP
source port. This may be Port 0
considered suspicious.
Rejected indicate a host is attempting Protocol Usage: Zero
Communications to establish connections to Payload Bidirectional Flows
Attempts other hosts and is being
refused by the hosts.
BB:Suspicious: Remote: Suspicious Flow This BB detects suspicious BB:Threats: Suspicious
Suspicious IRC Traffic IRC traffic. Activity: Suspicious IRC Ports
BB:Threats: Suspicious
Activity: Suspicious IRC
Traffic
BB:Suspicious: Remote: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP traffic Protocol Usage:
Detected from a single source. This Unidirectional ICMP Flows
may indicate an attempt to
enumerate hosts on the
network or other serious
network issues.
BB:Suspicious: Remote: Suspicious Flow This BB detects excessive BB:Threats: Suspicious IP
Unidirectional ICMP unidirectional ICMP Protocol Usage:
Responses Detected responses from a single Unidirectional ICMP Replies
source. This may indicate an
attempt to enumerate hosts
on the network or other
serious network issues.


Unidirectional TCP Flows indicate a host is sending an Protocol
excessive quantity (at least Usage:Unidirectional TCP
15) of unidirectional flows. Flows
These types of flows may be
considered normal, however,
client workstations and other
devices, should not be seen
emitting large quantities of
such flows. This activity
should be considered
suspicious.
Unidirectional UDP or excessive number of Protocol
Misc Flows unidirectional UDP and Usage:Unidirectional TCP
miscellaneous flows from a Flows
single source.
BB:Threats: DoS: Threats Flow This BB detects a denial of
Inbound Flood with No service condition where the
Response High source packet count is
greater than 6,000,000 and
there is no response from the
hosts being targeted.
Response Low source packet count is
greater than 30,000 and
Response Medium source packet count is
BB:Threats: DoS: Threats Flow This BB detects a high
Multi-Host Attack High number of hosts potentially
performing a denial of
service attack.
BB:Threats: DoS: Threats Flow This BB detects a lower
Multi-Host Attack Low number of hosts potentially
service attack.
BB:Threats: DoS: Threats Flow This BB detects a medium
Multi-Host Attack Medium number of hosts potentially
service attack.


Outbound Flood with No service condition where the
Response High source packet count is
greater than 6,000,000 and
Response Low source packet count is
Response Medium source packet count is
BB:Threats: DoS: Threats Flow This BB detects potential a
Potential ICMP DoS potential ICMP DoS attacks.
BB:Threats: DoS: Threats Flow This BB detects multiple
Potential Multihost Attack hosts potentially performing
a denial of service attack.
Potential TCP DoS potential TCP DoS attacks.
Potential UDP DoS potential UDP DoS attacks.
BB:Threats: Port Scans: Threats Flow This BB detects potential
Host Scans reconnaissance by flows.
BB:Threats: Port Scans: Threats Flow This BB detects UDP based
UDP Port Scan port scans.
BB:Threats: Remote Threats Flow This BB detects flows where
Access Violations: a remote desktop application
Remote Desktop Access is being accessed from a
from Remote Hosts remote host.
BB:Threats: Remote Threats Flow This BB detects flows where
Access Violations: VNC a VNC service is being
Activity from Remote accessed from a remote
Hosts host.
BB:Threats: Scanning: Threats Flow This BB detects potential
Empty Responsive Flows reconnaissance activity
High where the source packet
count is greater than
100,000.


Low where the source packet
count is greater than 500.
Medium where the source packet
count is greater than 5,000.
BB:Threats: Scanning: Threats Flow This BB detects a high level
ICMP Scan High of ICMP reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a low level
ICMP Scan Low of ICMP reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a medium
ICMP Scan Medium level of ICMP
Potential Scan reconnaissance activity.
BB:Threats: Scanning: Threats Flow This BB detects a high level
Scan High of potential reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a low level
Scan Low of potential reconnaissance
activity.
BB:Threats: Scanning: Threats Flow This BB detects a medium
Scan Medium level of potential
BB:Threats: Suspicious Threats Flow This BB detects suspicious
Activity: Suspicious IRC IRC traffic.
Traffic
BB:Threats: Suspicious Threats Flow This BB detects flows that
IP Protocol Usage: Illegal have an illegal TCP flag
TCP Flag Combination combination.
BB:Threats: Suspicious Threats Flow This BB detects abnormally
IP Protocol Usage: Large large DNS traffic.
DNS Packets
BB:Threats: Suspicious Threats Flow This BB detects flows with
IP Protocol Usage: Large abnormally large ICMP
ICMP Packets packets.
BB:Threats: Suspicious Threats Flow This BB detects flows that
IP Protocol Usage: Long have been active for more
Duration Outbound Flow than 48 hours


BB:Threats: Suspicious Threats Flow This BB detects ICMP flows
IP Protocol Usage: with suspicious ICMP type
Suspicious ICMP Type codes.
Code
BB:Threats: Suspicious Threats Flow This BB detects suspicious
IP Protocol Usage: TCP flows using port 0.
or UDP Port 0
BB:Threats: Suspicious Threats Flow This BB detects
IP Protocol Usage: unidirectional ICMP flows.
Unidirectional ICMP
Flows
BB:Threats: Suspicious Threats Flow This BB detects traffic where
IP Protocol Usage: ICMP replies are seen with
Unidirectional ICMP no request.
Replies
BB:Threats: Suspicious Threats Flow This BB detects bidirectional
IP Protocol Usage: Zero traffic that does not include
Payload Bidirectional payload.
Flows
IP Protocol unidirectional TCP flows.
Flows
IP Protocol unidirectional UDP and other
Usage:Unidirectional miscellaneous flows.
UDP and Misc Flows
User-BB:FalsePositive: User Tuning Common This BB contains any events
User Defined False that you have tuned using
Positives Tunings the False Positive tuning
function. For more
information, see the QRadar
Users Guide.
User-BB:FalsePositive: User Tuning Event Edit this BB to include any User-BB:HostDefinition:
Server Type 1 - User event categories you want to Server Type 1 - User Defined
Defined False Positive consider false positives for
Categories hosts defined in the
associated BB.
User-BB:FalsePositive: User Tuning Event Edit this BB to include any User-BB:HostDefinition:
Server Type 1 - User events you want to consider Server Type 1 - User Defined
Defined False Positive false positives for hosts
Events defined in the associated BB.


User-BB:FalsePositive: User Tuning Event Edit this BB to include any User:BB:HostDefinition:
User Defined Server Type event categories you want to Server Type 2 - User Defined
2 False Positive consider false positives for
associated BB.
User Defined Server Type events you want to consider Server Type 2 - User Defined
2 False Positive Events false positives for hosts
defined in the associated BB.
User Defined Server Type event categories you want to Server Type 3 - User Defined
3 False Positive consider false positives for
associated BB.
User Defined Server Type events you want to consider Server Type 3 - User Defined
3 False Positive Events false positives for hosts
defined the associated BB.
User-BB:HostDefinition: User Tuning Event Edit this BB to include the IP User-BB:FalsePositives:
Server Type 1 - User address of your custom Server Type 1 - User Defined
Defined server type. Once you have False Positive Category
added the servers, add any
User-BB:False Positives:
events or event categories
Server Type 1 - User Defined
you want to consider false False Positive Events
positives to these servers as
defined in the associated
BBs.
Server Type 2 - User address of your custom User Defined Server Type 2
added the servers, add any User-BB:False Positives:
User Defined Server Type 2
you want to consider false
False Positive Events
defined in the associated
BBs.
Server Type 3 - User address of your custom User Defined Server Type 3
added the servers, add any
User-BB:False Positives:
User Defined Server Type 3
you want to consider false
False Positive Events
defined in the as defined in
the associated BBs.

C RULE TESTS
This section provides information on the tests you can apply to the rules including:
• Event Rule Tests
• Flow Rule Tests
• Common Rule Tests
• Offense Rule Tests
• Anomaly Detection Rule Tests
Event Rule Tests This section provides information on the event rule tests you can apply to the rules
including:
• Host Profile Tests
• IP/Port Tests
• Event Property Tests
• Common Property Tests
• Log Source Tests
• Function - Sequence Tests
• Function - Counter Tests
• Function - Simple Tests
• Date/Time Tests
• Network Property Tests
• Function - Negative Tests

268 RULE TESTS
Host Profile Tests The host profile tests include:

Table C-1 Event Rule: Host Profile Tests
Test Description Default Test Name Parameters

Host Profile Valid when the port is open on when the local source Configure the following parameters:
Port the configured local source or host destination port is • source | destination - Specify if you
destination. You can also specify open either actively want this test to apply to the source or
if the status of the port is or passively seen destination port. The default is
detected using one of the source.
following methods:
• actively seen | passively seen |
• Active - QRadar actively either actively or passively -
searches for the configured port Specify if you want this test to
through scanning or vulnerability consider active and/or passive
assessment. scanning. The default is either
actively or passively seen.
• Passive - QRadar passively
monitors the network recording
hosts previously detected.
Host Existence Valid when the local source or when the local source Configure the following parameters:
destination host is known to exist host exists either • source | destination - Specify if you
through active or passive actively or passively want this test to apply to source or
scanning. seen destination host. The default is
You can also specify if the status source.
of the host is detected using one • actively seen | passively seen |
of the following methods: either actively or passively -
Specify if you want this test to
• Active - QRadar actively consider active and/or passive
searches for the configured host scanning. The default is either
through scanning or vulnerability actively or passively seen.
assessment.
Host Profile Valid when the local source or when the local source Configure the following parameters:
Age destination host profile age is host profile age is • source | destination - Specify if you
greater than the configured greater than this want this test to apply to source or
value within the configured time number of time destination host. The default is
intervals. intervals source.
• greater than | less than - Specify if
you want this test to consider greater
than or less than the profile host age.
• this number of - Specify the number
of time intervals you want this test to
consider.
• time intervals - Specify whether you
want this test to consider minutes or
hours.

Table C-1 Event Rule: Host Profile Tests (continued)

Host Port Age Valid when the local source or when the local source Configure the following parameters:
destination port profile age is host profile port age is • source | destination - Specify if you
greater than or less than a greater than this want this test to apply to the source or
configured amount of time. number of time destination port. The default is
intervals source.
than or less than the profile port age.
The default is greater than.
• this number of - Specify the time you
want this test to consider.
hours.
Asset Weight Valid when the specified asset when the destination Configure the following parameters:
has an assigned weight greater asset has a weight • source | destination - Specify if want
than or less than the configured greater than this this test to consider the source or
value. weight destination asset. The default is
destination.
• greater than | less than | equal to -
Specify if you want the value to be
greater than, less than, or equal to
the configured value.
• this weight - Specify the weight you
Host Valid when the specified host when the destination Configure the following parameters:
Vulnerable to port is vulnerable to the current is vulnerable to • destination | source | local host |
Event event. current exploit on any remote host - Specify if want this test
port to consider a destination, source,
local host, or remote host. The default
is destination.
• current | any - Specify if you want
this test to consider current or any
exploit. The default is current.
• current | any - Specify if you want
this test to consider any or the current
port. The default is any.
OSVDB IDs Valid when an IP address when the source IP is Configure the following parameters:
(source, destination, or any) is vulnerable to one of • source IP | destination IP | any IP -
vulnerable to the configured the following OSVDB Specify if you want this test to
Open Source Vulnerability IDs consider the source IP address,
Database (OSVDB) IDs. destination IP address, or any IP
address. The default is source IP.
• OSVDB IDs - Specify any OSVDB
IDs that you want this test to
consider. For more information
regarding OSVDB IDs, see
http://osvdb.org/.

270 RULE TESTS
IP/Port Tests The IP/Port tests include:

Table C-2 Event Rule: IP / Port Test Group

Source Port Valid when the source port when the source port is one ports - Specify the ports you want
of the event is one of the of the following ports this test to consider.
configured source port(s).
Destination Port Valid when the destination when the destination port is ports - Specify the ports you want
port of the event is one of one of the following ports this test to consider.
the configured destination
port(s).
Local Port Valid when the local port of when the local port is one ports - Specify the ports you want
the event is one of the of the following ports this test to consider.
configured local port(s).
Remote Port Valid when the remote port when the remote port is one ports - Specify the ports you want
of the event is one of the of the following ports this test to consider.
configured remote port(s).
Source IP Valid when the source IP when the source IP is one IP addresses - Specify the IP
Address address of the event is one of the following IP address(es) you want this test to
of the configured IP addresses consider.
address(es).
Destination IP Valid when the destination when the destination IP is IP addresses - Specify the IP
Address IP address of the event is one of the following IP address(es) you want this test to
one of the configured IP addresses consider.
address(es).
Local IP Valid when the local IP when the local IP is one of IP addresses - Specify the IP
Address address of the event is one the following IP addresses address(es) you want this test to
of the configured IP consider.
address(es).
Remote IP Valid when the remote IP when the remote IP is one IP addresses - Specify the IP
Address address of the event is one of the following IP address(es) you want this test to
of the configured IP addresses consider.
address(es).
IP Address Valid when the source or when either the source or IP addresses - Specify the IP
destination IP address of destination IP is one of the address(es) you want this test to
the event is one of the following IP addresses consider.
configured IP address(es).
Source or Valid when the either the when the source or these ports - Specify the ports you
Destination Port source or destination port is destination port is any of want this test to consider.
one of the configured ports. these ports

Event Property Tests The event property test group includes:

Table C-3 Event Rule: Event Property Tests

Local Network Valid when the event occurs when the destination Configure the following parameters:
Object in the specified network. network is one of the • source | destination - Specify if you
following networks want this test to consider the source or
destination IP address of the event.
• one of the following networks -
Specify the areas of the network you
want this test to apply.
IP Protocol Valid when the IP protocol of when the IP protocol is protocols - Specify the protocols you
the event is one of the one of the following want to add to this test.
configured protocols. protocols
Event Payload Each event contains a copy when the Event Payload this string - Specify the text string you
Search of the original unnormalized contains this string want include for this test.
event. This test is valid
when the entered search
string is included anywhere
in the event payload.
QID of Event A QID is a unique identifier when the event QID is one QIDs - Use of the following options to
for events. This test is valid of the following QIDs locate QIDs:
when the event identifier is a • Select the Browse By Category option
configured QID. and using the drop-down list boxes,
select the high and low-level category
QIDs you want to locate.
• Select the QID Search option and enter
the QID or name you want to locate.
Click Search.
Event Context Event Context is the when the event context is this context - Specify the context you
relationship between the this context want this test to consider. The options
source IP address and are:
destination IP address of the • Local to Local
event. For example, a local
source IP address to a • Local to Remote
remote destination IP • Remote to Local
address.
• Remote to Remote
Valid if the event context is
• Local to Local
• Local to Remote
• Remote to Local

272 RULE TESTS
Table C-3 Event Rule: Event Property Tests (continued)

Event Valid when the event when the event category categories - Specify the event
Category category is the same as the for the event is one of the category you want this test to
configured category, for following categories consider.
example, Denial of Service
For more information on event
(DoS) attack.
categories, see Appendix E Event
Categories.
Severity Valid when the event when the event severity is Configure the following parameters:
severity is greater than, less greater than 5 {default} • greater than | less than | equal to -
than, or equal to the Specify whether the severity is greater
configured value. than, less than, or equal to the
configured value.
• 5 - Specify the index, which is a value
from 0 to 10. The default is 5.
Credibility Valid when the event when the event credibility Configure the following parameters:
credibility is greater than, is greater than 5 • greater than | less than | equal to -
less than, or equal to the {default} Specify whether the credibility is
configured value. greater than, less than, or equal to the
configured value.
Relevance Valid when the event when the event relevance Configure the following parameters:
relevance is greater than, is greater than 5 • greater than | less than | equal to -
less than, or equal to the {default} Specify whether the relevance is
configured value. greater than, less than, or equal to the
configured value.
Source Valid when the source IP when the source is local local | remote - Specify either local or
Location address of the event is or remote {default: remote traffic.
either local or remote. remote}
Destination Valid when the destination when the destination is local | remote - Specify either local or
Location IP address of the event is local or remote {default: remote traffic.
Rate Analysis QRadar monitors event when the event has been
rates of all source IP marked with rate analysis
addresses/QIDs and
destination IP
addresses/QIDs and marks
events that exhibit abnormal
rate behavior.
Valid when the event has
been marked for rate
analysis.


False Positive When you tune false when the false positive signatures - Specify the false positive
Tuning positive events in the Log signature matches one of signature you want this test to
Activity interface, the the following signatures consider. Enter the signature in the
resulting tuning values following format:
appear in this test. If you
<CAT|QID|ANY>:<value>:<source
want to remove a false
IP>:<dest IP>
positive tuning, you can edit
this test to remove the Where:
necessary tuning values. <CAT|QID|ANY> - Specify whether
you want this false positive signature
to consider a category (CAT), Q1 Labs
Identifier (QID), or any value.
<value> - Specify the value for the
<CAT|QID|ANY> parameter. For
example, if you specified QID, you
must specify the QID value.
<source IP> - Specify the source IP
address you want this false positive
signature to consider.
<dest IP> - Specify the destination IP
address you want this false positive
signature to consider.
Regex Valid when the configured when the username Configure the following parameters:
MAC address, username, matches the following • MAC | source MAC | destination
hostname, or operating regex MAC | username | source username |
system is associated with a destination username | event
particular regular username | hostname | source
expressions (regex) string. hostname | dest hostname | OS |
source OS | dest OS | event payload
Note: This test assumes - Specify the value you want to
knowledge of regular associate with this test. The default is
expressions (regex). When username.
you define custom regex • regex - Specify the regex string you
patterns, adhere to regex want this test to consider.
rules as defined by the Java
programming language. For
more information, see the
following web site:
http://java.sun.com/docs/bo
oks/tutorial/extra/regex/
IPv6 Valid when the source or when the source IP(v6) is Configure the following parameters:
destination IPv6 address is one of the following IPv6 • source IP(v6) | destination IP(v6) -
the configured IP address. addresses Specify whether you want this test to
consider the source or destination IPv6
address.
• IP(v6) addresses - Specify the IPv6
addresses you want this test to
consider.

274 RULE TESTS

Reference Set Valid when any or all when any of these event Configure the following parameters:
configured event properties properties are contained • any | all - Specify if you want this test to
are contained in any or all in any of these reference consider any or all of the configured
configured reference sets. set(s) event properties.
• these event properties - Specify the
event properties you want this test to
consider.
• any | all - Specify if you want this test to
consider any or all of the configured
reference sets.
• these reference set(s) - Specify the
reference set(s) you want this test to
consider.
Search Filter Valid when the event when the event matches this search filter - Specify the search
matches the specified this search filter filter you want this test to consider.
search filter.
Common Property The common property test group includes:

Tests
Table C-4 Event Rule: Common Property Tests

CVSS Risk Valid when the specified host when the destination Configure the following parameters:
has a CVSS risk value that host has a CVSS risk • source | destination | either - Specify
matches the configured value of greater than whether the test considers the source
value. this amount and/or destination host of the event.
Specify if you want the CVSS risk value to
be greater than, less than, or equal to the
configured value.
• 0 - Specify the value you want this test to
consider. The default is 0.
CVSS Risk Valid when the specified port when the destination • source | destination | either - Specify
has a CVSS risk value that port has a CVSS risk whether the test considers the source
matches the configured value of greater than and/or destination port of the event.
value. this amount • greater than | less than | equal to -
Specify if you want the threat level to be
greater than, less than, or equal to the
configured value.
Custom Rule Valid when the event is when the event is these - Specify the Custom Rule Engine
Engines processed by the specified processed by one of you want this test to consider.
Custom Rule Engines these Custom Rule
Engines

Table C-4 Event Rule: Common Property Tests (continued)

Regex Valid when the configured when of these Configure the following parameters:
property is associated with a properties match the • these properties - Specify the value you
particular regular following regex want to associate with this test. Options
expressions (regex) string. include all normalized and custom flow
Note: This test assumes and event properties.
knowledge of regular • regex - Specify the regex string you want
expressions (regex). When this test to consider.
you define custom regex
patterns, adhere to regex
following web site:
http://java.sun.com/docs/boo
ks/tutorial/extra/regex/
Hexadecimal Valid when the configured when any of these Configure the following parameters:
property is associated with properties contain any • these properties - Specify the value you
particular hexadecimal of these hexadecimal want to associate with this test. Options
values. values include all normalized and custom flow
and event properties.
• these hexadecimal values - Specify the
hexadecimal values you want this test to
consider.
Log Source Tests The log source tests include:

Table C-5 Event Rule: Log Source Tests

Source Log Valid when one of the when the event(s) were these log sources - Specify the log
Sources configured log sources is the detected by one or sources that you want this test to
source of the event. more of these log detect.
sources
Log Source Type Valid when one of the when the event(s) were these log source types - Specify
configured log source types detected by one or the log sources that you want this
is the source of the event more of these log test to detect.
source types
Inactive Log Valid with one of the when the event(s) Configure the following parameters:
Sources configured log sources has have not been
these log sources - Specify the log
not generated an event in the detected by one or
sources that you want this test to
configured time. more of these log
detect.
sources for this many
seconds this many - Specify the number of
time intervals you want this test to
consider.

276 RULE TESTS
Table C-5 Event Rule: Log Source Tests (continued)

Log Source Groups Valid when an event is when the event(s) were these log source groups - Specify
detected by the configured detected by one or the groups you want this rule to
log source groups more of these log consider.
source groups
Function - Sequence The function - sequence tests include:

Tests
Table C-6 Event Rule: Functions - Sequence Group

Multi-Rule Allows you to use saved when all of these Configure the following parameters:
Event Function building blocks or other rules to rules, in|in any order, • rules - Specify the rules you want this
populate this test. This function from the same|any test to consider.
allows you to detect a specific source IP to the
sequence of selected rules same|any destination • in | in any - Specify whether you want
this test to consider in or in any order.
involving a source and IP, over this many
destination within a configured seconds • the same | any - Specify if you want
time period. this test to consider the same or any
of the configured sources.
• username | source IP | source port |
destination IP | destination port |
QID | event ID | log source |
category - Specify the source you
want this test to consider. The default
is the source IP address.
• the same | any - Specify if you want
this test to consider the same or any
of the configured destinations.
• destination IP | username |
destination port - Specify whether
you want this test to consider a
destination IP address, username, or
destination port. The default is
destination IP.
• this many - Specify the number of
consider.
• seconds | minutes | hours | days -
Specify the time interval you want this
test to consider. The default is
seconds.

Table C-6 Event Rule: Functions - Sequence Group (continued)

Multi-Rule Allows you to use saved when at least this Configure the following parameters:
Event Function building blocks or other rules to number of these • this number - Specify the number of
populate this test. You can use rules, in|in any order, rules you want this function to
this function to detect a number from the same|any consider.
of specified rules, in sequence, source IP to the
• rules - Specify the rules you want this
involving a source and same|any destination
test to consider.
destination within a configured IP, over this many
time interval. seconds • in | in any - Specify whether you want
QID | event ID | log sources |
category - Specify the source you
• destination IP | username |
destination port - Specify whether
you want this test to consider a
destination IP address, username, or
destination IP.
consider.
test to consider.
Multi-Event Allows you to detect a sequence when this sequence of Configure the following parameters:
Sequence of selected rules involving the rules, involving the • rules - Specify the rules you want this
Function same source and destination same source and test to consider
Between Hosts hosts within the configured time destination hosts in
interval. You can also use saved this many seconds • this many - Specify the number of
building blocks and other rules
consider.
to populate this test.
seconds.

278 RULE TESTS

Multi-Rule Allows you to detect a number when at least this Configure the following parameters:
Function of specific rules for a specific IP many of these rules, • this many - Specify the number of
address or port followed by a in|in any order, with rules you want this test to consider.
number of specific rules for a the same username
specific port or IP address. You followed by at least • rules - Specify the rules you want this
test to consider.
can also use building blocks or this many of these
existing rules to populate this rules in| in any order • in | in any - Specify if you want this
test. to/from the same test to consider rules in a specific
destination IP from order.
the previous • username | source IP | source port |
sequence, within this destination IP | destination port -
many minutes Specify whether you want this test to
consider the username, source IP,
source port, destination IP, or
username.
rules you want this test to consider.
test to consider.
• in | in any - Specify if you want this
test to consider rules in a specific
order.
• to | from - Specify if the direction you
destination IP | destination port -
Specify whether you want this test to
consider the username, source IP,
source port, destination IP, or
destination IP.
time intervals you want this rule to
consider.
rule to consider. The default is
minutes.


Rule Function Allows you to detect a number when these rules Configure the following parameters:
of specific rules with the same match at least this • these rules - Specify the rules you
event properties and different many times in this want this test to consider.
event properties within the many minutes after
configured time interval. these rules match • this many - Specify the number of
times the configured rules must match
the test.
consider.
minutes.
• these rules - Specify the rules you
Event Property Allows you to detect a when these rules Configure the following parameters:
Function configured number of specific match at least this • these rules - Specify the rules you
rules with the same event many times with the want this test to consider.
properties within the configured same event
time interval. properties in this • this many - Specify the number of
many minutes after
the test.
these rules match
• event properties - Specify the event
properties you want this test to
consider. Options include all
normalized and custom event
properties.
consider.
minutes.

280 RULE TESTS

Event Property Allows you to detect when when these rules Configure the following parameters:
Function specific rules occur a configured match at least this • these rules - Specify the rules you
number of times with the same many times with the want this test to consider.
event properties and different same event
event properties within the properties and • this many - Specify the number of
configured time interval after a different event
the test.
series of specific rules. properties in this
many minutes after • event properties - Specify the event
these rules match properties you want this test to
properties.
consider.
minutes.
Rule Function Allows you to detect when when these rules Configure the following parameters:
specific rules occur a configured match at least this • these rules - Specify the rules you
number of times in a configured many times in this want this test to consider.
time interval after a series of many minutes after
specific rules occur with the these rules match • this many - Specify the number of
same event properties. with the same event
the test.
properties
consider.
minutes.
properties.


event properties in a configured same event
time interval after a series of properties in this • this many - Specify the number of
specific rules occur with the many minutes after
the test.
same event properties. these rules match
with the same event • event properties - Specify the event
properties properties you want this test to
properties.
consider.
minutes.
properties.

282 RULE TESTS

event properties in a configured properties and • this many - Specify the number of
time interval after a series of different event
the test.
specific rules occur with the properties in this
same event properties. many minutes after • event properties - Specify the event
with the same event consider. Options include all
properties
properties.
properties.
consider.
minutes.
properties.


Event Property Allows you to detect when when at least this Configure the following parameters:
Function specific number of events occur many events are seen • this many - Specify the number of
with the same event properties with the same event events you want this test to consider.
and different event properties in properties and
a configured time interval after a different event • event properties - Specify the event
series of specific rules occur. properties in this
many minutes after normalized and custom event
these rules match properties.
properties.
consider.
minutes.
in a configured time interval properties in this
after a series of specific rules many minutes after • event properties - Specify the event
occur with the same event these rules match
properties. with the same event normalized and custom event
properties properties.
consider.
minutes.
properties.

284 RULE TESTS

series of specific rules occur properties in this
with the same event properties. many minutes after normalized and custom event
with the same event
properties • event properties - Specify the event
properties.
consider.
minutes.
properties.

Function - Counter The function - counter tests include:

Tests
Table C-7 Event Rule: Functions - Counters Group

Multi-Event Allows you to test the number of when a(n) source IP Configure the following parameters:
Counter events from configured matches more • username | source IP | source port |
Function conditions, such as, source IP than|exactly this destination IP | destination port |
address. You can also use many of these rules QID | event ID | log sources |
building blocks and other rules across more category - Specify the source you
to populate this test. than|exactly this want this test to consider. The default
many destination IP, is the source IP address.
over this many • more than | exactly - Specify if you
minutes want this test to consider more than or
exactly the number of rules.
test to consider.
• more than | exactly - Specify if you
want this test to consider more than or
exactly the number of destination IP
address(es), destination port(s),
QID(s), log source event ID(s), or log
source(s) that you selected in the
source above.
• this many - Specify the number of IP
addresses, ports, QIDs, events, log
sources, or categories you want this
test to consider.
• username | destination IP | source
IP | source port | destination port |
category - Specify the destination you
is destination IP.
• this many - Specify the time value you
want to assign to this test.
minutes.

286 RULE TESTS
Table C-7 Event Rule: Functions - Counters Group (continued)

Multi-Rule Allows you to detect a series of when any of these Configure the following parameters:
Function rules for a specific IP address or rules with the same • rules - Specify the rules you want this
port followed by a series of source IP more than test to consider.
specific rules for a specific port this many times,
or IP address. You can also use across more than| • username | source IP | source port |
building blocks or existing rules exactly this many
to populate this test. destination IP within category - Specify the source you
this many minutes want this test to consider. The default
the test.
source option.
• this many - Specify the number you
want this test to consider, depending
on the option you configured in the
source IP parameter.
is destination IP.
• this many - Specify the time interval
you want to assign to this test.
minutes.
Username Allows you to detect multiple when the username Configure the following parameters:
Function updates to usernames on a changes more than • MAC | username | hostname -
single host. this many times within Specify if you want this test to consider
this many hours on a username, MAC address, or
single host. hostname. The default is username.
changes you want this test to consider.
consider.
test to consider. The default is hours.


Event Property Allows you to detect a series of when at least this Configure the following parameters:
Function events with the same event many events are seen • this many - Specify the number of
properties within the configured with the same event events you want this test to consider.
time interval. properties in this
many minutes • event properties - Specify the event
For example, you can use this properties you want this test to
test to detect when 100 events consider. Options include all
with the same source IP normalized and custom event
address occurs within 5 properties.
minutes. • this many - Specify the number of
consider.
minutes.
properties and different event with the same event events you want this test to consider.
properties within the configured properties and
time interval. different event • event properties - Specify the event
For example, you can use this properties in this
many minutes
test to detect when 100 events normalized and custom event
with the same source IP properties.
address and different • event properties - Specify the event
destination IP address occurs properties you want this test to
within 5 minutes. consider. Options include all
properties.
consider.
minutes.
event properties within the many times in this want this test to consider.
configured time interval. many minutes
the test.
consider.
minutes.

288 RULE TESTS

Event Property Allows you to detect a number when these rules Configure the following parameters:
Function of specific rules with the same match at least this • these rules - Specify the rules you
event properties within the many times with the want this test to consider.
configured time interval. same event
properties in this • this many - Specify the number of
many minutes
the test.
properties.
consider.
minutes.
event properties and different many times with the want this test to consider.
event properties within the same event
configured time interval. properties and • this many - Specify the number of
different event
the test.
properties in this
properties.
properties.
consider.
minutes.

Function - Simple The function - simple tests include:

Tests
Table C-8 Event Rule: Functions - Simple Group

Multi-Rule Allows you to use saved when an event Configure the following parameters:
Event Function building blocks and other rules matches any|all of the • any | all - Specify either any or all of
to populate this test. The event following rules the configured rules apply to this test.
has to match either all or any of
the selected rules. If you want to • rules - Specify the rules you want this
test to consider.
create an OR statement for this
rule test, specify the any
parameter.
Date/Time Tests The date and time tests include:

Table C-9 Event Rule: Date/Time Tests

Event Day Valid when the event occurs when the event(s) Configure the following parameters:
on the configured day of the occur on the selected • on | after | before - Specify if you
month. day of the month want this test to consider on, after, or
before the configured day. The
default is on.
• selected - Specify the day of the
month you want this test to consider.
Event Week Valid when the event occurs when the event(s) these days of the week - Specify
on the configured days of the occur on any of these the days of the week you want this
week. days of the week test to consider.
Event Time Valid when the event occurs when the event(s) Configure the following parameters:
on the after the configured occur after this time • after | before | at - Specify if you
time. want this test to consider after,
before, or at the configured time. The
default is after.
• this time - Specify the time you want
this test to consider.
Network Property The network property test group includes:

Tests
Table C-10 Event Rule: Network Property Tests

Local Valid when the event occurs when the local network one of the following networks -
Networks in the specified network. is one of the following Specify the areas of the network you
networks want this test to apply.

290 RULE TESTS
Table C-10 Event Rule: Network Property Tests (continued)

Remote Valid when an IP address is when the source IP is a Configure the following parameters:
Networks part of any or all of the part of any of the • source IP | destination IP | any IP -
configured remote network following remote Specify if you want this test to consider
locations. network locations the source IP address, destination IP
address, or any IP address.
• remote network locations - Specify the
network locations you want this test to
consider.
Services part of any or all of the part of any of the • source IP | destination IP | any IP -
Networks configured remote services following remote Specify if you want this test to consider
network locations. services network the source IP address, destination IP
locations address, or any IP address.
• remote services network locations -
Specify the services network locations
you want this test to consider.
Geographic Valid when an IP address is when the Source IP is a Configure the following parameters:
configured geographic following geographic Specify if you want this test to consider
network locations. network locations the source IP address, destination IP
• geographic network locations - Specify
the network locations you want this test to
consider.
Function - Negative The function - negative tests include:

Tests
Table C-11 Event Rule: Functions - Negative Group

Event Property Allows you to detect when none when none of these Configure the following parameters:
Function of the specified rules in a rules match in this • these rules - Specify the rules you
configured time interval after a many minutes after want this test to consider.
series of specific rules occur these rules match
with the same event properties. with the same event • this many - Specify the number of
properties
consider.
minutes.
properties.

Flow Rule Tests 291
Table C-11 Event Rule: Functions - Negative Group (continued)

Rule Function Allows you to detect when none when none of these Configure the following parameters:
of the specified rules in a rules match in this • these rules - Specify the rules you
series of specific rules occur. these rules match
consider.
minutes.
Flow Rule Tests This section provides information on the flow rule tests you can apply to the rules
including:
• IP/Port Tests
• Flow Property Tests
• Function - Sequence Tests
• Function - Counters Tests
• Date/Time Tests
• Function - Negative Tests

292 RULE TESTS
Table C-12 Flow Rules: Host Profile Tests

following methods:
scanning. seen destination port. The default is
searches for the configured port scanning. The default is either
assessment.
value within the configured time number of time destination host. The default is
than or less than the profile host age.
consider.
hours.

Flow Rule Tests 293
Table C-12 Flow Rules: Host Profile Tests (continued)

destination port profile age is host profile port age is • source | destination - Specify if you
greater than or less than a greater than this want this test to apply to the source or
intervals source.
hours.
Asset Weight Valid when the device being when the destination Configure the following parameters:
attacked (destination) or if the asset has a weight • source | destination - Specify if want
host is that attacker (source) has greater than this this test to consider the source or
an assigned weight greater than weight destination asset. The default is
or less than the configured destination.
value.
http://osvdb.org/.

Table C-13 Flow Rules: IP / Port Test Group

of the flow is one of the of the following ports this test to consider.
configured source port(s).

294 RULE TESTS
Table C-13 Flow Rules: IP / Port Test Group (continued)

port of the flow is one of the one of the following ports this test to consider.
configured destination
port(s).
the flow is one of the of the following ports this test to consider.
configured local port(s).
of the flow is one of the of the following ports this test to consider.
configured remote port(s).
Address address of the flow is one of of the following IP address(es) you want this test to
the configured IP addresses consider.
address(es).
Address IP address of the flow is one of the following IP address(es) you want this test to
one of the configured IP addresses consider.
address(es).
Address address of the flow is one of the following IP addresses address(es) you want this test to
the configured IP consider.
address(es).
Address address of the flow is one of of the following IP address(es) you want this test to
the configured IP addresses consider.
address(es).
the flow is one of the following IP addresses consider.
configured IP address(es).
Flow Property Tests The flow property test group includes:

Table C-14 Flow Rules: Flow Property Tests

IP Protocol Valid when the IP protocol of when the IP protocol is protocols - Specify the protocols you
the flow is one of the one of the following want to add to this test.

Flow Rule Tests 295
Table C-14 Flow Rules: Flow Property Tests (continued)

Flow Context Flow Context is the when the flow context is this context - Specify the context you
flow. For example, a local
address.
Valid if the flow context is
• Local to Local
• Local to Remote
• Remote to Local
Location address of the flow is either or remote {default: remote traffic. The default is remote.
local or remote. remote}
Location IP address of the flow is local or remote {default: remote traffic. The default is remote.
MAC address, username, matches the following • hostname | source hostname
hostname, or operating regex |destination hostname | source
system is associated with a payload | destination payload -
particular regular Specify the value you want to associate
expressions (regex) string. with this test. The default is username.
Note: This test assumes • regex - Specify the regex string you
knowledge of regular want this test to consider.
expressions (regex). When
following web site:
destination IPv6 address is one of the following IP(v6) • source IP(v6) | destination IP(v6) -
address.
consider.

296 RULE TESTS

Flow Context Flow Context is the when the flow context is this context - Specify the context you
flow. For example, a local
address.
Valid if the flow context is
• Local to Local
• Local to Remote
• Remote to Local
Location address of the flow is either or remote {default: remote traffic. The default is remote.
local or remote. remote}
Location IP address of the flow is local or remote {default: remote traffic. The default is remote.
particular regular Specify the value you want to associate
expressions (regex) string. with this test. The default is username.
Note: This test assumes • regex - Specify the regex string you
knowledge of regular want this test to consider.
following web site:
destination IPv6 address is one of the following IP(v6) • source IP(v6) | destination IP(v6) -
address.
consider.

Flow Rule Tests 297

Reference Set Valid when any or all when any of these flow Configure the following parameters:
configured flow properties properties are contained • any | all - Specify if you want this test to
are contained in any or all in any of these reference consider any or all of the configured
configured reference sets. set(s) event properties.
• these flow properties - Specify the
flow properties you want this test to
consider.
• any | all - Specify if you want this test to
consider any or all of the configured
reference sets.
consider.
Flow Bias Valid when flow direction when the flow bias is any inbound | outbound | mostly
matches the configured flow of the following bias inbound | mostly outbound |
bias. balanced - Specify the flow bias you
is inbound.
Byte / Packet Valid when the number of when the source bytes is Configure the following parameters:
Count bytes or packets matches greater than this amount • source | destination | local | remote -
the configured amount. Specify whether you want this test to
consider the source, destination, local
or remote bytes or packets. The default
is source.
• bytes | packets - Specify whether you
want this test to consider bytes or
packets. The default is bytes.
Specify whether the number of bytes or
packets is greater than, less than, or
equal to the configured value.
• 0 - Specify the value you want this test
to consider. The default is 0.
Host Count Valid when the number of When the number of Configure the following parameters:
hosts matches the source hosts is greater • source | destination | local | remote -
configured amount. than this amount. Specify whether you want this test to
or remote hosts. The default is source.
Specify whether the number of hosts is
configured value.

298 RULE TESTS

Packet Rate Valid when the packet rate when the source packet Configure the following parameters:
matches the configured rate is greater than value • source | destination | local | remote -
amount. packets/second Specify whether you want this test to
or remote packet rate. The default is
source.
Specify whether the packet rate is
configured value.
Flow Duration Valid when the flow duration when flow duration is Configure the following parameters:
is matches the configured greater than value • greater than | less than | equal to -
time interval. seconds Specify whether the flow duration is
configured value.
test to consider. The default is minutes.
Flow Payload Each flow contains a copy of when the source payload Configure the following parameters:
Search the original unnormalized matches the regex • source | destination | local | remote -
event. This test is valid string Specify whether you want this test to
when the entered search consider the source, destination, local
string is included anywhere or remote payload. The default is
in the flow payload. source.
• matches the regex | matches the
hexadecimal - Specify whether you
want to match a regex or hexadecimal
string. The default is regex.
• string - Specify the text string you want
include for this test.
Flow Source Valid when the flow source when the name of the flow these sources - Specify the flow
Name name matches the source is one of these source names you want this test to
configured value(s). sources consider.
Flow Interface Valid when the flow interface when the flow interface is these interfaces - Specify the flow
matches the configured one of these interfaces interface you want this test to
value(s). consider.
Flow Type Valid when the flow type when the flow type is one these flow types - Specify the flow
matches the configured of these flow types type you want this test to consider.
value.

Flow Rule Tests 299

Byte/Packet Valid when the byte/packet when the source Configure the following parameters:
Ratio ratio matches the configured byte/packet ratio is • source | destination | local | remote -
value. greater than value Specify whether you want this test to
bytes/packet consider the source, destination, local
or remote byte/packet ratio. The default
is source.
Specify whether the flow duration is
configured value.
• value - Specify the ratio you want this
test to consider.
ICMP Type Valid when the ICMP type when the ICMP type is these types - Specify the ICMP
matches the configured any of these types type(s) you want this test to consider.
value(s).
ICMP Code Valid when the ICMP code when the ICMP code is these codes - Specify the ICMP
matches the configured any of these codes code(s) you want this test to consider.
value(s).
DSCP Valid when the differentiated when the destination Configure the following parameters:
services code point (DSCP) DSCP is any of these • source | destination | local | remote |
matches the configured values either - Specify whether you want this
value(s). test to consider the source, destination,
local, remote, or either DSCP. The
default is destination.
• these values - Specify the DSCP
value(s) you want this test to consider.
IP Precedence Valid when the IP when the destination IP Configure the following parameters:
precedence matches the precedence is any of • source | destination | local | remote |
configured value(s) these values either - Specify whether you want this
test to consider the source, destination,
local, remote, or either DSCP. The
default is destination.
• these values - Specify the IP
precedence values you want this test to
consider.
Packet Ratio Valid when the configured when the Configure the following parameters:
packet ratio matches the source/destination • source | destination | local | remote -
configured value. packet ratio is greater Specify which direction you want this
than this value test to consider as the preceding value
This test allows you to
specify the values in the in the ratio. The default is source.
packet ratio. • greater than | less than | equal to -
Specify whether the packet ratio is
configured value.
• value - Specify the ratio you want this
test to consider.

300 RULE TESTS

TCP Flags Valid when the TCP flags when the destination Configure the following parameters:
match the configured TCP flags are exactly • source | destination | local | remote -
value(s). these flags Specify whether you want this test to
consider the source, destination, local,
or remote, TCP flags. The default is
destination.
• are exactly | includes all of | includes
any of - Specify whether you want this
test to consider exactly, all of, or any of
the configured TCP flags. The default is
are exactly.
• these flags - Specify the TCP flags you
IF Index Valid when the IF Index when the list of input IF Configure the following parameters:
matches the configured (interface) indexes • input | output | either - Specify which
value(s) includes all of these direction you want this test to consider.
values The default is input.
• all | any - Specify whether you want
this test to consider all or any
configured IFIndex values.
• these values - Specify the IF Indexes
TCP Flag Valid when the TCP flags When the destination Configure the following parameters:
Combination match the configured flag TCP flags are any of • source | destination | local | remote -
combinations. these flag combinations Specify whether you want this test to
consider the source, destination, local,
or remote, TCP flags. The default is
destination.
• these flag combinations - Specify the
flag combinations you want this test to
consider. Separate flags by commas.
Search Filter Valid when the flow matches when the flow matches this search filter - Specify the search
the specified search filter. this search filter filter you want this test to consider.
Flow Payload Valid when the specified when the destination Configure the following parameters:
side of the flow has or does side of the flow has • the source | the destination | the
not have a payload. payload data local | the remote | either - Specify
whether you want this test to consider
the source, destination, local, remote,
or either side of the flow. The default is
destination.
• has | has not - Specify whether you
want this test to consider flows that
have a payload or does not have a
payload.

Flow Rule Tests 301
Common Property The date and time tests include:

Tests
Table C-15 Flow Rules: Common Property Tests

has a CVSS risk value that host has a CVSS risk • source | destination | either -
matches the configured value of greater than Specify whether the test considers
value. this amount the source and/or destination host of
the flow.
Specify if you want the CVSS risk
value to be greater than, less than, or
• 0 - Specify the value you want this
test to consider. The default is 0.
CVSS Risk Valid when the specified port when the destination • source | destination | either -
has a CVSS risk value that port has a CVSS risk Specify whether the test considers
matches the configured value of greater than the source and/or destination port of
value. this amount the flow.
Specify if you want the threat level to
be greater than, less than, or equal to
Custom Rule Valid when the flow is when the flow is these - Specify the Custom Rule
Engine processed by the specified processed by one of Engine ID number(s) you want this
custom rule engine. these Custom Rule test to consider.
Engines
property is associated with a properties match the • these properties - Specify the value
particular regular expressions following regex you want to associate with this test.
(regex) string. Options include all normalized and
Note: This test assumes custom flow and event properties.
knowledge of regular • regex - Specify the regex string you
expressions (regex). When want this test to consider.
following web site:

302 RULE TESTS
Table C-15 Flow Rules: Common Property Tests (continued)

property is associated with properties contain • these properties - Specify the value
particular hexadecimal any of these you want to associate with this test.
values. hexadecimal values Options include all normalized and
custom flow and event properties.
• these hexadecimal values - Specify
the hexadecimal values you want this
test to consider.
Function - Sequence The function - sequence tests include:

Tests
Table C-16 Flow Rules: Functions Sequence Group

Flow Function building blocks or other rules to rules, in|in any order, • rules - Specify the rules you want this
• source IP | source port | destination
IP | destination port | QID | category
- Specify the source you want this test
to consider. The default is the source
IP address.
• destination IP | destination port -
consider a destination IP address,
username, or destination port. The
default is destination IP.
consider.
seconds.

Flow Rule Tests 303
Table C-16 Flow Rules: Functions Sequence Group (continued)

Flow Function building blocks or other rules to number of these • this number - Specify the number of
this function to detect a number from the same| any consider.
test to consider.
IP address.
consider.
test to consider.
Multi-Flow Allows you to detect a sequence when this sequence of Configure the following parameters:
consider.
seconds.

304 RULE TESTS

flow properties and different flow many times in this want this test to consider.
properties within the configured many minutes after
time interval. these rules match • this many - Specify the number of
the test.
consider.
minutes.
Flow Property Allows you to detect a when these rules Configure the following parameters:
rules with the same flow many times with the want this test to consider.
properties within the configured same flow properties
time interval. in this many minutes • this many - Specify the number of
after these rules
the test.
match
• flow properties - Specify the flow
normalized and custom flow
properties.
consider.
minutes.

Flow Rule Tests 305

Flow Property Allows you to detect when when these rules Configure the following parameters:
flow properties and different flow same flow properties
properties within the configured and different flow • this many - Specify the number of
time interval after a series of properties in this
the test.
specific rules. many minutes after
these rules match • flow properties - Specify the flow
properties.
consider.
minutes.
same flow properties. with the same flow
the test.
properties
consider.
minutes.
properties.

306 RULE TESTS

Function specific rules occur a configured match at least this • these - Specify the rules you want this
number of times with the same many times with the test to consider.
flow properties in a configured same flow properties
time interval after a series of in this many minutes • this many - Specify the number of
specific rules occur with the after these rules
the test.
same flow properties. match with the same
flow properties • flow properties - Specify the flow
properties.
consider.
minutes.
• these - Specify the rules you want this
test to consider.
properties.

Flow Rule Tests 307

flow properties and different flow same flow properties
properties in a configured time and different flow • this many - Specify the number of
interval after a series of specific properties in this
the test.
rules occur with the same flow many minutes after
properties. these rules match • flow properties - Specify the flow
with the same flow properties you want this test to
properties consider. Options include all
properties.
properties.
consider.
minutes.
properties.

308 RULE TESTS

Flow Property Allows you to detect when when at least this Configure the following parameters:
Function specific number of flows occur many flows are seen • this many - Specify the number of
with the same flow properties with the same flow flows you want this test to consider.
and different flow properties in a properties and
configured time interval after a different flow • flow properties - Specify the flow
many minutes after normalized and custom flow
properties.
consider.
minutes.
with the same flow properties in with the same flow flows you want this test to consider.
a configured time interval after a properties in this
series of specific rules occur many minutes after • flow properties - Specify the flow
with the same flow properties. these rules match
with the same flow normalized and custom flow
consider.
minutes.
properties.

Flow Rule Tests 309

with the same flow properties with the same flow flows you want this test to consider.
and different flow properties in a properties and
configured time interval after a different flow • flow properties - Specify the flow
with the same flow properties. many minutes after normalized and custom flow
with the same flow
properties • flow properties - Specify the flow
properties.
consider.
minutes.
• these rules- Specify the rules you
properties.

310 RULE TESTS
Function - Counters The functions - counters tests include:

Tests
Table C-17 Flow Rules: Functions - Counters Group

Multi-Flow Allows you to test the number of when a(n) source IP Configure the following parameters:
Counter flows from configured matches more • source IP | source port | destination
Function conditions, such as, source IP than|exactly this IP | destination port | QID | category
address. You can also use many of these rules - Specify the source you want this test
building blocks and other rules across more to consider. The default is the source
to populate this test. than|exactly this IP address.
many destination IP, • more than |exactly - Specify if you
over this many want this test to consider more than or
minutes exactly the number of rules.
test to consider.
source above.
addresses, ports, or usernames you
is destination IP.
minutes.

Flow Rule Tests 311
Table C-17 Flow Rules: Functions - Counters Group (continued)

or IP address. You can also use across more than| • source IP | source port | destination
to populate this test. destination IP within to consider. The default is the source
this many minutes IP address.
the test.
source option.
is destination IP.
minutes.
Flow Property Allows you to detect a series of when at least this Configure the following parameters:
Function events with the same flow many flows are seen • this many - Specify the number of
properties within the configured with the same flow flows you want this test to consider.
many minutes • flow properties - Specify the flow
test to detect when 100 flows consider. Options include all
with the same source IP normalized and custom flow
consider.
minutes.

312 RULE TESTS

Flow Property Allows you to detect a series of when at least this Configure the following parameters:
Function events with the same flow many flows are seen • this many - Specify the number of
properties and different flow with the same flow flows you want this test to consider.
time interval. different flow • flow properties - Specify the flow
properties in this
For example, you can use this consider. Options include all
many minutes
test to detect when 100 flows normalized and custom flow
address and different • flow properties - Specify the flow
properties.
consider.
minutes.
flow properties within the many times in this want this test to consider.
the test.
consider.
minutes.

Flow Rule Tests 313

Flow Property Allows you to detect a number when these rules Configure the following parameters:
flow properties within the many times with the want this test to consider.
configured time interval. same flow properties
in this many minutes • this many - Specify the number of
the test.
properties.
consider.
minutes.
Flow Property Allows you to detect a number when these rules Configure the following parameters:
flow properties and different flow many times with the want this test to consider.
properties within the configured same flow properties
time interval. and different flow • this many - Specify the number of
properties in this
the test.
many minutes
properties.
properties.
consider.
minutes.

314 RULE TESTS

Tests
Table C-18 Flow Rules: Functions - Simple Group

Multi-Rule Allows you to use saved when a flow matches Configure the following parameters:
Flow Function building blocks and other rules any|all of the following • any | all - Specify either any or all of
to populate this test. The flow rules the configured rules apply to this test.
test to consider.
parameter.

Table C-19 Flow Rules: Date/Time Tests

Flow Day Valid when the flow occurs on when the flow(s) occur Configure the following parameters:
the configured day of the on the selected day • on | after | before - Specify if you
month. of the month want this test to consider on, after, or
before the configured day. The
default is on.
Flow Week Valid when the flow occurs on when the flow(s) occur these days of the week - Specify
the configured days of the on any of these days the days of the week you want this
week. of the week test to consider.
Flow Time Valid when the flow occurs on when the flow(s) occur Configure the following parameters:
the after the configured time. after this time • after | before | at - Specify if you
want this test to consider after,
default is after.

Tests
Table C-20 Flow Rules: Network Property Tests

Local Valid when the flow occurs in when the local network one of the following networks -
Network the specified network. is one of the following Specify the areas of the network you
Object networks want this test to apply.

Flow Rule Tests 315
Table C-20 Flow Rules: Network Property Tests (continued)

address, or any IP address. The default is
source IP address.
consider.
locations address, or any IP address. The default is
source IP address.
Geographic Valid when an IP address is when the source IP is a Configure the following parameters:
address, or any IP address. The default is
source IP address.
consider.

316 RULE TESTS
Function - Negative The function - negative tests include:

Tests
Table C-21 Flow Rules: Functions - Negative Group

Flow Property Allows you to detect when none when none of these Configure the following parameters:
series of specific rules occur these rules match
with the same flow properties. with the same flow • this many - Specify the number of
properties
consider.
minutes.
• these rules Specify the rules you want
properties.
consider.
minutes.
Common Rule This section provides information on the common rule tests you can apply to both
Tests event and flow records including:
• IP/Port Tests
• Functions - Sequence Tests
• Function - Counter Tests
• Date/Time Tests

• Functions Negative Tests

Table C-22 Common Rule: Host Profile Tests

following methods:
scanning. seen destination port. The default is
searches for the configured port scanning. The default is either
assessment.
value within the configured time number of time destination port. The default is
consider.
hours.

318 RULE TESTS
Table C-22 Common Rule: Host Profile Tests (continued)

destination host port profile age host profile port age is • source | destination - Specify if you
is greater than or less than a greater than this want this test to apply to the source or
intervals source.
hours.
Asset Weight Valid when the device being when the destination Configure the following parameters:
attacked (destination) or if the asset has a weight • source | destination - Specify if want
host is that attacker (source) has greater than this this test to consider the source or
an assigned weight greater than weight destination asset. The default is
or less than the configured destination.
value.
http://osvdb.org/.


Table C-23 Common Rule: IP / Port Test Group

of the event or flow is one of of the following ports this test to consider.
the configured source
port(s).
port of the event or flow is one of the following ports this test to consider.
one of the configured
destination port(s).
the event or flow is one of of the following ports this test to consider.
the configured local port(s).
of the event or flow is one of of the following ports this test to consider.
the configured remote
port(s).
Address address of the event or flow of the following IP address(es) you want this test to
is one of the configured IP addresses consider.
address(es).
Address IP address of the event or one of the following IP address(es) you want this test to
flow is one of the configured addresses consider.
IP address(es).
Address address of the event or flow the following IP addresses address(es) you want this test to
is one of the configured IP consider.
address(es).
Address address of the event or flow of the following IP address(es) you want this test to
is one of the configured IP addresses consider.
address(es).
the event or flow is one of following IP addresses consider.
the configured IP
address(es).

320 RULE TESTS
Common Property The common property tests include:

Tests
Table C-24 Common Rules: Common Property Tests

IP Protocol Valid when the IP protocol of when the IP protocol protocols - Specify the protocols
the event or flow is one of the is one of the following you want to add to this test.
Payload Search This test is valid when the when the Flow Source this string - Specify the text string
entered search string is or Destination you want include for this test.
included anywhere in the Payload contains this
event or flow source or string
destination payload.
Context Context is the relationship when the context is this context - Specify the context
between the source and this context you want this test to consider. The
destination of the event or options are:
flow. For example, a local • Local to Local
source to a remote
destination. • Local to Remote
Valid if the context is one of • Remote to Local

the following: • Remote to Remote
• Local to Local
• Local to Remote
• Remote to Local
Source Location Valid when the source is when the source is local | remote - Specify if you want
either local or remote. local or remote the source to be local or remote. The
{default: Remote} default is remote
Destination Valid when the destination IP when the destination local | remote - Specify either local
Location address of the event or flow is local or remote or remote traffic.
is either local or remote. {default: remote}
particular regular expressions Specify the value you want to
(regex) string. associate with this test. The default is
username.
Note: This test assumes
following web site:

Table C-24 Common Rules: Common Property Tests (continued)

IPv6 Valid when the source or when the source Configure the following parameters:
destination IPv6 address is IP(v6) is one of the • source IP(v6) | destination IP(v6) -
the configured IP address. following IPv6 Specify whether you want this test to
addresses consider the source or destination
IPv6 address.
consider.
Reference Set Valid when any or all when any of these Configure the following parameters:
configured event or flow properties are • any | all - Specify if you want this test
properties are contained in contained in any of to consider any or all of the
any or all configured these reference configured event properties.
reference sets. set(s)
• these properties - Specify the event
or flow properties you want this test
to consider.
• any | all - Specify if you want this test
to consider any or all of the
configured reference sets.
consider.
has a CVSS risk value that host has a CVSS risk • source | destination | either -
matches the configured value of greater than Specify whether the test considers
value. this amount the source and/or destination host of
the flow.
Specify if you want the CVSS risk
value to be greater than, less than, or
CVSS Risk Valid when the specified port when the destination • source | destination | either -
has a CVSS risk value that port has a CVSS risk Specify whether the test considers
matches the configured value of greater than the source and/or destination port of
value. this amount the flow.
Specify if you want the threat level to
be greater than, less than, or equal to
Search Filter Valid when the event or flow when the event or flow this search filter - Specify the
matches the specified search matches this search search filter you want this test to
filter. filter consider.

322 RULE TESTS
Table C-24 Common Rules: Common Property Tests (continued)

property is associated with a properties match the • these properties - Specify the value
particular regular expressions following regex you want to associate with this test.
(regex) string. Options include all normalized and
Note: This test assumes custom flow and event properties.
expressions (regex). When want this test to consider.
following web site:
Custom Rule Valid when the event or flow when the event or flow these - Specify the Custom Rule
Engines is processed by the specified is processed by one of Engine you want this test to
Custom Rule Engines these Custom Rule consider.
Engines
property is associated with properties contain • these properties - Specify the value
particular hexadecimal any of these you want to associate with this test.
values. hexadecimal values Options include all normalized and
custom flow and event properties.
• these hexadecimal values - Specify
the hexadecimal values you want this
test to consider.

Functions - The functions - sequence tests include:

Sequence Tests
Table C-25 Common: Functions - Sequence Group

Event Function building blocks or other rules to rules, in|in any order, • rules - Specify the rules you want this
IP address.
consider.
seconds.

324 RULE TESTS
Table C-25 Common: Functions - Sequence Group (continued)

Event Function building blocks or other rules to number of these • this number - Specify the number of
this function to detect a number from the same| any consider.
test to consider.
IP address.
consider.
test to consider.
Multi-Event Allows you to detect a sequence when this sequence of Configure the following parameters:
consider.
seconds.


event properties and different many times in this want this test to consider.
event properties within the many minutes after
configured time interval. these rules match • this many - Specify the number of
the test.
consider.
minutes.
Event Property Allows you to detect a when these rules Configure the following parameters:
rules with the same event many times with the want this test to consider.
properties within the configured same event
time interval. properties in this • this many - Specify the number of
many minutes after
the test.
these rules match
properties.
consider.
minutes.

326 RULE TESTS

event properties within the properties and • this many - Specify the number of
configured time interval after a different event
the test.
series of specific rules. properties in this
many minutes after • event properties - Specify the event
properties.
consider.
minutes.
same event properties. with the same event
the test.
properties
consider.
minutes.
properties.


event properties in a configured same event
time interval after a series of properties in this • this many - Specify the number of
specific rules occur with the many minutes after
the test.
same event properties. these rules match
with the same event • event properties - Specify the event
properties properties you want this test to
properties.
consider.
minutes.
properties.

328 RULE TESTS

event properties in a configured properties and • this many - Specify the number of
time interval after a series of different event
the test.
specific rules occur with the properties in this
same event properties. many minutes after • event properties - Specify the event
with the same event consider. Options include all
properties
properties.
properties.
consider.
minutes.
properties.


many minutes after normalized and custom event
properties.
consider.
minutes.
in a configured time interval properties in this
after a series of specific rules many minutes after • event properties - Specify the event
occur with the same event these rules match
properties. with the same event normalized and custom event
consider.
minutes.
properties.

330 RULE TESTS

with the same event properties. many minutes after normalized and custom event
with the same event
properties • event properties - Specify the event
properties.
consider.
minutes.
properties.

Function - Counter The function - counter tests include:

Tests
Table C-26 Common Rules: Functions - Counter Test Group

Multi-Event Allows you to test the number of when a(n) source IP Configure the following parameters:
Counter events or flows from configured matches more • source IP | source port | destination
Function conditions, such as, source IP than|exactly this IP | destination port | QID | category
address. You can also use many of these rules - Specify the source you want this test
building blocks and other rules across more to consider. The default is the source
to populate this test. than|exactly this IP address.
many destination IP, • more than | exactly - Specify if you
over this many want this test to consider more than or
minutes exactly the number of rules.
test to consider.
source above.
addresses, ports, QIDs, events, log
sources, or categories you want this
test to consider.
is destination IP.
minutes.

332 RULE TESTS
Table C-26 Common Rules: Functions - Counter Test Group (continued)

or IP address. You can also use across more than| • source IP | source port | destination
to populate this test. destination IP within to consider. The default is the source
this many minutes IP address.
the test.
source option.
is destination IP.
minutes.
properties within the configured with the same event events you want this test to consider.
test to detect when 100 events consider. Options include all
with the same source IP normalized and custom event
consider.
minutes.


properties and different event with the same event events you want this test to consider.
time interval. different event • event properties - Specify the event
properties in this
For example, you can use this consider. Options include all
many minutes
test to detect when 100 events normalized and custom event
address and different • event properties - Specify the event
properties.
consider.
minutes.
event properties within the many times in this want this test to consider.
the test.
consider.
minutes.

334 RULE TESTS

event properties within the many times with the want this test to consider.
configured time interval. same event
properties in this • this many - Specify the number of
many minutes
the test.
properties.
consider.
minutes.
event properties and different many times with the want this test to consider.
event properties within the same event
configured time interval. properties and • this many - Specify the number of
different event
the test.
properties in this
properties.
properties.
consider.
minutes.


Tests
Table C-27 Common Rules: Functions - Simple Test Group

Multi-Rule Allows you to use saved when a flow or an Configure the following parameters:
Event Function building blocks and other rules event matches any|all • any | all - Specify either any or all of
to populate this test. The event of the following rules the configured rules apply to this test.
test to consider.
parameter.

Table C-28 Common Rule: Date/Time Tests

Event/Flow Day Valid when the event or flow when the flow(s) or Configure the following parameters:
occurs on the configured day event(s) occur on the • on | after | before - Specify if you
of the month. selected day of the want this test to consider on, after, or
month before the configured day. The
default is on.
Event/Flow Week Valid when the event or flow when the flow(s) or these days of the week - Specify
occurs on the configured event(s) occur on any the days of the week you want this
days of the week. of these days of the test to consider.
week
Event/Flow Time Valid when the event or flow when the flow(s) or Configure the following parameters:
occurs on the after the event(s) occur after • after | before | at - Specify if you
configured time. this time want this test to consider after,
default is after.

Tests
Table C-29 Common Rule: Network Property Tests

Local Valid when the event occurs when the local network one of the following networks -
Network in the specified network. is one of the following Specify the areas of the network you
Object networks want this test to apply.

336 RULE TESTS
Table C-29 Common Rule: Network Property Tests (continued)

consider.
locations address, or any IP address.
Geographic Valid when an IP address is when the Source IP is a Configure the following parameters:
consider.

Functions Negative The functions negative tests include:

Tests
Table C-30 Common Rules: Functions - Negative Test Group

Flow Property Allows you to detect when none when none of these Configure the following parameters:
series of specific rules occur these match with the
with the same flow properties. same flow properties • this many - Specify the number of
consider.
minutes.
• these - Specify the rules you want this
test to consider.
properties.
consider.
minutes.
Offense Rule Tests This section provides information on the tests you can apply to the offense rules
including:
• IP/Port Tests
• Function Tests
• Date/Time Tests
• Log Source Tests
• Offense Property Tests

338 RULE TESTS

Table C-31 Offense Rules: IP/Port Test Group

Offense Index Valid when the source IP when the offense is IP addresses - Specify the IP
address is one of the indexed by one of the address(es) you want this test to
configured IP address(es). following IP addresses. consider. You can enter multiple
entries using a comma-separated
list.
Destination IP Valid when the destination list when the destination list Configure the following parameters:
Address is any of the configured IP includes any of the • any | all - Specify if you want this test
adddress(es). following IP addresses to consider any or all of the listed
destinations. The default is any.
• IP addresses - Specify the IP
address(es) you want this test to
consider. You can enter multiple
entries using a comma-separated list.
Function Tests The function tests include:

Table C-32 Offense Rules: Offense Function Group

Multi-Rule Allows you to use saved when the offense Configure the following parameters:
Offense building blocks and other matches any of the • any | all - Specify either any or all of
Function rules to populate this test. The following offense rules. the configured rules apply to this test.
offense has to match either all The default is any.
or any of the selected rules. If
• offense rules - Specify the rules you
you want to create an OR
statement for this rule test,
specify the any parameter.

Table C-33 Offense Rules: Date/Time Tests

Offense Day Valid when the offense when the offense(s) Configure the following parameters:
occurs on the configured day occur on the selected • on | after | before - Specify if you
of the month. day of the month want this rule to consider on, after, or
before the selected date. The default
is on.
• selected - Specify the date you want

Table C-33 Offense Rules: Date/Time Tests (continued)

Offense Week Valid when the offense when the offense(s) Configure the following parameters:
occurs on the configured day occur on these days of • on | after | before - Specify if you
of the week. the week want this rule to consider on, after, or
before the selected day. The default
is on.
• these days of the week - Specify
the days you want this test to
consider.
Offense Time Valid when the offense when the offense(s) Configure the following parameters:
occurs after, before, or on the occur after this time • on | after | before - Specify if you
configured time. want this test to consider after,
before, or at a specified time. The
default is after.
Log Source Tests The log source tests include:

Table C-34 Offense Rules: Log Source Tests

Log Source Types Valid when one of the when the log source log source types - Specify the log
configured log source types type(s) that detected source types that you want this test
is the source of the offense. the offense is one of to detect.
the following log
source types
Number of Log Valid when the number of log when the number of Configure the following parameters:
Source Type source types is greater than log source types that • greater than | equal to - Specify if
the configured value. detected the offense is you want the threat level to be
greater than this greater than or equal to the
number configured value.
• this number - Specify the number of
log source types that you want this
test to consider.
Offense Property The offense property tests include:

Tests
Table C-35 Offense Rules: Offense Property Tests

Network Object Valid when the network is when the networks Configure the following parameters:
affected are any or all of the affected are any of the • any | all - Specify if you want this test
configured networks. following networks to consider any or all networks. The
default is any.
• the following networks - Specify
the networks you want this test to
consider.

340 RULE TESTS
Table C-35 Offense Rules: Offense Property Tests (continued)

Offense Valid when the event when the categories of Configure the following parameters:
Category category is any or all of the the offense includes any • any | all - Specify if you want this test
configured event categories. of the following list of to consider any or all categories.
categories The default is any.
• list of categories - Specify the
categories you want this test to
consider.
Categories.
Severity Valid when the severity is when the offense severity Configure the following parameters:
greater than, less than, or is greater than 5 • greater than | less than | equal to -
equal to the configured {default} Specify if you want the offense
value. severity to be greater than, less than,
or equal to the configured value.
Credibility Valid when the credibility is when the offense Configure the following parameters:
greater than, less than, or credibility is greater than • greater than | less than | equal to -
equal to the configured 5 {default} Specify if you want the offense
value. credibility to be greater than, less
than, or equal to the configured
value.
test to consider.
Relevance Valid when the relevance is when the offense Configure the following parameters:
greater than, less than, or relevance is greater than • greater than | less than | equal to -
value. relevance to be greater than, less
value.
test to consider.
Offense Context Offense Context is the when the offense context this context - Specify the context
relationship between the is this context you want this test to consider. The
source and destination of the options are:
offense. For example, a local • Local to Local
attacker to a remote target.
• Local to Remote
Valid if the offense context is
one of the following: • Remote to Local
• Local to Local • Remote to Remote
• Local to Remote
• Remote to Local


Offense Valid when the event when the categories of Configure the following parameters:
Category category is any or all of the the offense includes any • any | all - Specify if you want this test
configured event categories. of the following list of to consider any or all categories.
categories The default is any.
• list of categories - Specify the
categories you want this test to
consider.
Categories.
Severity Valid when the severity is when the offense severity Configure the following parameters:
greater than, less than, or is greater than 5 • greater than | less than | equal to -
equal to the configured {default} Specify if you want the offense
value. severity to be greater than, less than,
or equal to the configured value.
Credibility Valid when the credibility is when the offense Configure the following parameters:
greater than, less than, or credibility is greater than • greater than | less than | equal to -
value. credibility to be greater than, less
value.
test to consider.
Relevance Valid when the relevance is when the offense Configure the following parameters:
greater than, less than, or relevance is greater than • greater than | less than | equal to -
value. relevance to be greater than, less
value.
test to consider.
Offense Context Offense Context is the when the offense context this context - Specify the context
relationship between the is this context you want this test to consider. The
source and destination of the options are:
offense. For example, a local • Local to Local
attacker to a remote target.
• Local to Remote
Valid if the offense context is
one of the following: • Remote to Local
• Local to Local • Remote to Remote
• Local to Remote
• Remote to Local

342 RULE TESTS

Source Location Valid when the source is when the source is local local | remote - Specify if you want
either local or remote. or local or remote the source to be local or remote.
{default: Remote} The default is remote
Destination Valid when the destination is when the destination list locate IPs | remote IPs - Specify if
Location either local or remote. The includes local or remote you want the target to be local or
default is remote. IP addresses {default: remote. The default is Remote IPs.
remote}
Destination Valid when the number of when the number of Configure the following parameters:
Count in an destinations for an offense destinations under attack • greater than | equal to - Specify if
Offense greater than, less than, or is greater than this you want the number of destinations
equal to the configured number to be greater than or equal to the
value. configured value.
• this number - Specify the value you
Event Count in Valid when the number of when the number of Configure the following parameters:
an Offense events/flows for an offense is events/flows making up • greater than | equal to - Specify if
greater than, less than, or the offense is greater you want the number of events to be
equal to the configured than this number greater than or equal to the
value. configured value.
Category Count Valid when the number of when the number of Configure the following parameters:
in an Offense event categories for an categories involved in the • greater than | equal to - Specify if
offense greater than, less offense is greater than you want the number of categories to
than, or equal to the this number be greater than or equal to the
configured value. configured value.
Categories.
Offense ID Valid when the Offense ID is when the offense ID is this ID - Specify the offense ID you
the configured value. this ID want this test to consider.
Offense Creation Valid when a new offense is when a new offense is
created. created


Offense Change Valid when the configured when the offense Configure the following parameters:
offense property has property has increased • Magnitude | Severity | Credibility |
increased above the by at least this percent Relevance| Destination count |
configured value. Source count | Category count |
Annotation count | Event count -
Specify the property you want this
test to consider.The default is
magnitude.
• this - Specify the percent or unit
value you want this test to consider.
• percent | unit(s) - Specify if you
want this test to consider percentage
or units.
Anomaly Detection This section provides information on the tests you can apply to the anomaly
Rule Tests detection rules including:
• Anomaly Rule Tests
• Behavioral Rule Tests
• Threshold Rule Tests
Anomaly Rule Tests This section provides information on the anomaly rule tests you can apply to the
rules including:
• Anomaly Tests
• Time Threshold Tests
Anomaly Tests
The anomaly test group includes:

344 RULE TESTS
Table C-36 Anomaly Rules: Anomaly Tests

Anomaly Valid when the accumulated when the average value Configure the following parameters:
property has increased or (per interval) of this • this accumulated property - Specify the
decreased by the specified accumulated property accumulated property you want this test
percentage over a short over the last 1 min is at to consider.
period of time when least percentage%
• 1 min - Specify the time interval you want
compared against the different from the
this test to consider. The default is 1 min.
specified larger period time. average value (per
• 40 - Specify the percentage you want this
For example, if your average interval of the same test to consider. The default is 40.
property over the last 1
destination bytes for the last
min • 1 min - Specify the time interval this tests
24 hours is 100,000,000
used to compare the interval length. The
bytes out for each minute
default is 1 min.
and then over a 5 minute
period, the average bytes out
increases by 40 percent, this
test is valid.
Note: The Accumulator
sends data to the Anomaly
Detection Rule engine in one
minute intervals. For more
information the accumulator,
see Chapter 8 Using the
Deployment Editor.
Minimum Valid when the tested value when accumulation some value - Specify the value you
Value for the accumulated interval intervals are only want to consider for the configured
exceeds the configured considered if the tested accumulation interval.
value. value for that interval
exceeds some value
Time Threshold Tests

The time threshold test group includes:
Table C-37 Anomaly Rules: Time Threshold Tests

Date Range Valid when anomalous when the date is Configure the following parameters:
activity is detected within the between this date and • this date - Specify the start date for your
specified date range. this date date range.
• this date - Specify the end date for your
date range.
Day of the Valid when anomalous when the day of the these selected days - Specify the days
Week activity is detected on the week is any of these you want this test to consider.
specified day of the week. selected days

Table C-37 Anomaly Rules: Time Threshold Tests (continued)

Time Range Valid when anomalous when the time of day is Configure the following parameters:
activity is detected within the between this time and • this time - Specify the start time for your
specified time range. this time date range.
• this time - Specify the end date for your
date range.
Behavioral Rule This section provides information on the behavioral rule tests you can apply to the
Tests rules including:
• Behavioral Tests
Behavioral Tests
The behavioral test group includes:
Table C-38 Behavioral Rules: Behavioral Tests

Accumulated Specifies which accumulated when this accumulated this accumulated property - Specify
Property property this rules considers. property is the tested the accumulated property you want this
property test to consider.
Current Valid when the current traffic when the importance of 70 - Specify the level of importance, on
Traffic Level level represents specified the current traffic level a scale of 0 to 100, you want this test to
seasonal change in data (on a scale of 0 to 100) consider. The default is 70.
over the time period is importance
specified in the Season compared to learned
Length test. traffic trends and
behavior
For example, the current
traffic level test can compare
current data with data from
the same time period
yesterday.
Traffic Trend trend represents the the current traffic trend a scale of 0 to 100, you want this test to
specified seasonal effect in (on a scale of 0 to 100) consider. The default is 30.
data for each time interval. is importance
compared to learned
traffic trend test can test for traffic trends and
behavior
when data increases the
same amount from week 2 to
week 3 as it did from week 1
to week 2.

346 RULE TESTS
Table C-38 Behavioral Rules: Behavioral Tests (continued)

Traffic behavior changes in data for the current traffic a scale of 0 to 100, you want this test to
Behavior each time interval. behavior (on a scale of 0 consider. The default is 30.
to 100) is importance
compared to learned
traffic behavior test can test
traffic trends and
for data changes when
behavior
comparing this minute to the
minute before.
Deviation Valid when accumulated when the actual field 50 - Specify the percentage of deviation
property deviates from the value deviates by a you want this test to consider. The
predicted traffic pattern. margin of at least default is 50%
deviation% of the
extrapolated (predicted
field value)
Season Valid when the season when the season length a day | a week | a month - Specify the
Length length represents the time is season season length you want this test to
interval you want to test. consider.
Typically for network traffic,
you can set the season
length as a week. When
monitoring traffic from
automated systems, we
recommend setting the
season length as day.
Minimum Valid when the tested value when accumulation 0 - Specify the value you want to
Value for the accumulated interval intervals are only consider for the configured
exceeds the configured considered if the tested accumulation interval.
value. value for that interval
exceeds 0

Table C-39 Behavioral Rules: Time Threshold Tests

date range.

Table C-39 Behavioral Rules: Time Threshold Tests (continued)

date range.
Threshold Rule Tests This section provides information on the threshold rule tests you can apply to the
rules including:
• Field Threshold Tests
Field Threshold Tests

The field threshold test group includes:
Table C-40 Threshold Rules: Field Threshold Tests

Threshold Valid when the accumulated when this accumulated • this accumulated property - Specify the
Value property is greater than, less property is greater accumulated property you want this test
than, or equal to specified than this value to consider.
value. You can specify the (accumulated in 1 min • greater than | less than | equal to -
interval, in minutes, you want intervals) Specify whether the accumulate property
to accumulate the property. value is greater than, less than, or equal
to the configured value.
• 1 min - Specify the interval, in minutes,
you want to accumulate the property. The
default is 1 min.
Threshold Valid when the accumulated when this accumulated • this accumulated property - Specify the
Range property is within a specified property is between accumulated property you want this test
range. You can specify the this value and this to consider.
interval, in minutes, you want value (accumulated in 1 • 0 - Specify the value you want this test to
to accumulate the property. min intervals) consider as the start of the range. The
default is 0.
consider as the end of the range. The
default is 0.
• 1 min - Specify the interval, in minutes,
you want to accumulate the property. The
default is 1 min.

348 RULE TESTS

Table C-41 Threshold Rules: Time Threshold Tests

date range.
date range.

D VIEWING AUDIT LOGS
Changes made by QRadar users are recorded in the audit logs. You can view the
audit logs to monitor changes to QRadar and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the
audit log file reaches a size of 200 MB. The current log file is named audit.log.
Once the file reaches a size of 200 MB, the file is compressed and renamed as
follows: audit.1.gz, audit.2.gz, etc with the file number incrementing each
time a log file is archived. QRadar stores up to 50 archived log files.
This appendix provides information on using the audit logs including:

• Logged Actions
• Viewing the Log File
Logged Actions QRadar logs the following categories of actions in the audit log file:
Note: You can view audit log events using the Log Activity interface. Table D-1
provides a record of the logged actions.
Table D-1 Logged Actions
Category Action
User Authentication Log in to QRadar.
Log out of QRadar.
Audit Log Access Perform a search that includes events with a
high-level event category of Audit.
Chart Configuration Save flow or event chart configuration.
Administrator Authentication Log in to the QRadar Administration Console.
Log out of the QRadar Administration Console.
System Management Shutdown a system.
Restart a system.

350 VIEWING AUDIT LOGS
Table D-1 Logged Actions (continued)
Category Action
Session Authentication Create a new administration session.
Terminate an administration session.
Deny an invalid authentication session.
Expire a session authentication.
Create an authentication session.
Terminate an authentication session.
User Authentication Ariel Deny a login attempt.
Add an Ariel property.
Delete an Ariel property.
Edit an Ariel property.
Add an Ariel property extension.
Delete an Ariel property extension.
Edit an Ariel property extension.
Root Login Log in to QRadar, as root.
Log out of QRadar, as root.
Rules Add a rule.
Delete a rule.
Edit a rule.
Reference Sets Create a reference set.
Edit a reference set.
Purge elements in a reference set.
Delete a reference set.
User Accounts Add an account.
Edit an account.
Delete an account.
User Roles Add a role.
Edit a role.
Delete a role.
Log Sources Add a log source.
Edit a log source.
Delete a log source.
Add a log source group.
Edit a log source group.
Delete a log source group.
Edit the DSM parsing order.

Logged Actions 351
Category Action
Log Source Extension Add an log source extension.
Edit the log source extension.
Delete a log source extension.
Upload a log source extension.
Upload a log source extension successfully.
Upload an invalid log source extension.
Download a log source extension.
Report a log source extension.
Modify a log sources association to a device or
device type.
Protocol Configuration Add a protocol configuration.
Delete a protocol configuration.
Edit a protocol configuration.
Flow Sources Add a flow source.
Edit a flow source.
Delete a flow source.
Offenses Hide an offense.
Close an offense.
Close all offenses.
Add a destination note.
Add a source note.
Add a network note.
Add an offense note.
TNC Recommendations Create a recommendation.
Edit a recommendation.
Delete a recommendation.
Syslog Forwarding Add a syslog forwarding.
Delete a syslog forwarding.
Edit a syslog forwarding.

Category Action
Reports Add a template.
Delete a template.
Edit a template.
Execute a template.
Delete a report.
Delete generated content.
View a generated report.
E-mail a generated report.
Groups Add a group.
Delete a group.
Edit a group.
Backup and Recovery Edit the configuration.
Initiate the backup.
Complete the backup.
Fail the backup.
Delete the backup.
Synchronize the backup.
Cancel the backup.
Initiate the restore.
Upload a backup.
Upload an invalid backup.
Delete the backup.
Purge the backup.
VIS Discover a new host.
Discover a new operating system.
Discover a new port.
Discover a new vulnerability.
Scanner Add a scanner.
Delete a scanner.
Edit a scanner.
Scanner Schedule Add a schedule.
Edit a schedule.
Delete a schedule.
SIM Clean a SIM model.

Viewing the Log File 353
Category Action
High Availability Add an HA host.
Remove an HA host.
Set an HA system offline.
Set an HA system online.
Restore an HA system.
Assets Delete an asset.
Delete all assets.
QIDmap Add a QID map entry.
Edit a QID map entry.
Custom Properties Add a custom event property.
Edit a custom event property.
Delete a custom event property.
Add a custom flow property.
Edit a custom flow property.
Delete a custom flow property.
Custom Property Expressions Add a custom event property expression.
Edit a custom event property expression.
Delete a custom event property expression.
Add a custom flow property expression.
Edit a custom flow property expression.
Delete a custom flow property expression.
Installation Install a .rpm package, such as a DSM update.
License Add a license key.
Edit a license key.
Viewing the Log To view the audit logs:

File
Step 1 Log in to QRadar, as root.
Step 2 Go to the following directory:
/var/log/audit
Step 3 Open the desired audit log file.
Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host
name) is 1024 characters.

<date_time> <host name> <user>@<IP address> (thread ID)

[<category>] [<sub-category>] [<action>] <payload>
Where:
<date_time> is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name> is the host name of the Console where this activity was logged.
<user> is the name of the user that performed the action.
<IP address> is the IP address of the user that performed the action.
(thread ID) is the identifier of the Java thread that logged this activity.
<category> is the high-level category of this activity.
<sub-category> is the low-level category of this activity.
<action> is the activity that occurred.
<payload> is the complete record that has changed, if any. This may include a
user record or an event rule.
For example:
Nov 6 12:22:31 localhost.localdomain admin@10.100.100.15
(Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0)
[Configuration] [User Account] [Account Modified]
username=james, password=/oJDuXP7YXUYQ, networks=ALL,
email=sam@q1labs.com, userrole=Admin
Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0)
[Configuration] [FlowSource] [FlowSourceModified] Flowsource(
name="tim", enabled="true", deployed="false",
asymmetrical="false", targetQflow=DeployedComponent(id=3),
flowsourceType=FlowsourceType(id=6),
flowsourceConfig=FlowsourceConfig(id=1))

E EVENT CATEGORIES
This document provides information on the types of event categories and the
processing of events. This document provides information on event categories
including:
• High-Level Event Categories
• Recon
• DoS
• Authentication
• Access
• Exploit
• Malware
• Suspicious Activity
• System
• Policy
• CRE
• Potential Exploit
• SIM Audit
• VIS Host Discovery
• Application
• Audit
• Risk
Note: The Risk high-level category only appears in the interface when QRadar
Risk Manager is installed.

356 EVENT CATEGORIES
High-Level Event The high-level event categories include:

Categories
Table E-1 High-Level Event Categories
Category Description
Recon Events relating to scanning and other techniques used to identify
network resources, for example, network or host port scans.
DoS Events relating to Denial of Service (DoS) or Distributed Denial of
Service (DDoS) attacks against services or hosts, for example,
brute force network DoS attacks.
Authentication Events relating to authentication controls, group, or privilege
change, for example, log in or log out.
Access Events resulting from an attempt to access network resources,
for example, firewall accept or deny.
Exploit Events relating to application exploits and buffer overflow
attempts, for example, buffer overflow or web application
exploits.
Malware Events relating to viruses, trojans, back door attacks, or other
forms of hostile software. This may include a virus, trojan,
malicious software, or spyware.
Suspicious The nature of the threat is unknown but behavior is suspicious
Activity including protocol anomalies that potentially indicate evasive
techniques, for example, packet fragmentation or known IDS
evasion techniques.
System Events related to system changes, software installation, or status
messages.
Policy Events regarding corporate policy violations or misuse.
CRE Events generated from an offense or event rule. For more
information on creating custom rules, see the QRadar
Administration Guide.
Potential Exploit Events relating to potential application exploits and buffer
overflow attempts.
SIM Audit Events relating to user interaction with the Console and
administrative functions.
VIS Host Events relating to the host, ports, or vulnerabilities that the VIS
Discovery component discovers.
Application Events relating to application activity.
Audit Events relating to audit activity in QRadar Risk Manager.
Risk Events relating to risk activity in QRadar Risk Manager.

Recon 357
Recon The Recon category indicates events relating to scanning and other techniques
used to identify network resources. The associated low-level event categories
include:
Table E-2 Recon Categories
Low Level Event Severity Level

Category Description (0 to 10)
Unknown Form of Recon Indicates an unknown form of 2
reconnaissance.
Application Query Indicates reconnaissance to 3
applications on your system.
Host Query Indicates reconnaissance to a host in 3
your network.
Network Sweep Indicates reconnaissance on your 4
network.
Mail Reconnaissance Indicates reconnaissance on your mail 3
system.
Windows Reconnaissance Indicates reconnaissance for windows. 3
Portmap / RPC Request Indicates reconnaissance on your 3
portmap or RPC request.
Host Port Scan Indicates a scan occurred on the host’s 4
ports.
RPC Dump Indicates Remote Procedure Call 3
(RPC) information is removed.
DNS Reconnaissance Indicates reconnaissance on the DNS 3
server.
Misc Reconnaissance Indicates a miscellaneous 2
Event reconnaissance event.
Web Reconnaissance Indicates web reconnaissance on your 3
network.
Database Reconnaissance Indicates database reconnaissance on 3
your network.
ICMP Reconnaissance Indicates reconnaissance on ICMP 3
traffic.
UDP Reconnaissance Indicates reconnaissance on UDP 3
traffic.
SNMP Reconnaissance Indicates reconnaissance on SNMP 3
traffic.
ICMP Host Query Indicates an ICMP host query. 3
UDP Host Query Indicates a UDP host query. 3
NMAP Reconnaissance Indicates NMAP reconnaissance. 3
TCP Reconnaissance Indicates TCP reconnaissance on your 3
network.

Table E-2 Recon Categories (continued)

Unix Reconnaissance Indicates reconnaissance on your 3
UNIX network.
FTP Reconnaissance Indicates FTP reconnaissance. 3
DoS The DoS category indicates events relating to Denial Of Service (DoS) attacks
against services or hosts. The associated low-level event categories include:
Table E-3 DoS Categories

Unknown DoS Attack Indicates an unknown DoS attack. 8
ICMP DoS Indicates an ICMP DoS attack. 9
TCP DoS Indicates a TCP DoS attack. 9
UDP DoS Indicates a UDP DoS attack. 9
DNS Service DoS Indicates a DNS service DoS attack. 8
Web Service DoS Indicates a web service DoS attack. 8
Mail Service DoS Indicates a mail server DoS attack. 8
Distributed DoS Indicates a distributed DoS attack. 9
Misc DoS Indicates a miscellaneous DoS attack. 8
Unix DoS Indicates a Unix DoS attack. 8
Windows DoS Indicates a Windows DoS attack. 8
Database DoS Indicates a database DoS attack. 8
FTP DoS Indicates an FTP DoS attack. 8
Infrastructure DoS Indicates a DoS attack on the 8
infrastructure.
Telnet DoS Indicates a Telnet DoS attack. 8
Brute Force Login Indicates access to your system 8
through unauthorized methods.
High Rate TCP DoS Indicates a high rate TCP DoS attack. 8
High Rate UDP DoS Indicates a high rate UDP DoS attack. 8
High Rate ICMP DoS Indicates a high rate ICMP DoS attack. 8
High Rate DoS Indicates a high rate DoS attack. 8
Medium Rate TCP DoS Indicates a medium rate TCP attack. 8
Medium Rate UDP DoS Indicates a medium rate UDP attack. 8
Medium Rate ICMP DoS Indicates a medium rate ICMP attack. 8
Medium Rate DoS Indicates a medium rate DoS attack. 8

DoS 359
Table E-3 DoS Categories (continued)

Medium Rate DoS Indicates a medium rate DoS attack. 8
Low Rate TCP DoS Indicates a low rate TCP DoS attack. 8
Low Rate UDP DoS Indicates a low rate UDP DoS attack. 8
Low Rate ICMP DoS Indicates a low rate ICMP DoS attack. 8
Low Rate DoS Indicates a low rate DoS attack. 8
Distributed High Rate TCP Indicates a distributed high rate TCP 8
DoS DoS attack.
Distributed High Rate UDP Indicates a distributed high rate UDP 8
DoS DoS attack.
Distributed High Rate Indicates a distributed high rate ICMP 8
ICMP DoS DoS attack.
Distributed High Rate DoS Indicates a distributed high rate DoS 8
attack.
Distributed Medium Rate Indicates a distributed medium rate 8
TCP DoS TCP DoS attack.
UDP DoS UDP DoS attack.
ICMP DoS ICMP DoS attack.
DoS DoS attack.
Distributed Low Rate TCP Indicates a distributed low rate TCP 8
DoS DoS attack.
Distributed Low Rate UDP Indicates a distributed low rate UDP 8
DoS DoS attack.
Distributed Low Rate ICMP Indicates a distributed low rate ICMP 8
DoS DoS attack.
Distributed Low Rate DoS Indicates a distributed low rate DoS 8
attack.
High Rate TCP Scan Indicates a high rate TCP scan. 8
High Rate UDP Scan Indicates a high rate UDP scan. 8
High Rate ICMP Scan Indicates a high rate ICMP scan. 8
High Rate Scan Indicates a high rate scan. 8
Medium Rate TCP Scan Indicates a medium rate TCP scan. 8
Medium Rate UDP Scan Indicates a medium rate UDP scan. 8
Medium Rate ICMP Scan Indicates a medium rate ICMP scan. 8
Medium Rate Scan Indicates a medium rate scan. 8
Low Rate TCP Scan Indicates a low rate TCP scan. 8
Low Rate UDP Scan Indicates a low rate UDP scan. 8

Table E-3 DoS Categories (continued)

Low Rate ICMP Scan Indicates a low rate ICMP scan. 8
Low Rate Scan Indicates a low rate scan. 8
VoIP DoS Indicates a VoIP DoS attack. 8
Flood Indicates a Flood attack. 8
TCP Flood Indicates a TCP flood attack. 8
UDP Flood Indicates a UDP flood attack. 8
ICMP Flood Indicates a ICMP flood attack. 8
SYN Flood Indicates a SYN flood attack. 8
URG Flood Indicates a flood attack with the urgent 8
(URG) flag on.
SYN URG Flood Indicates a SYN flood attack with the 8
urgent (URG) flag on.
SYN FIN Flood Indicates a SYN FIN flood attack. 8
SYN ACK Flood Indicates a SYN ACK flood attack. 8
Authentication The authentication category indicates events relating to authentication, sessions

and access controls to monitor users on the network. The associated low-level
event categories include:
Table E-4 Authentication Categories

Unknown Authentication Indicates unknown authentication. 1
Host Login Succeeded Indicates a successful host login. 1
Host Login Failed Indicates the host login has failed. 3
Misc Login Succeeded Indicates that the login sequence 1
succeeded.
Misc Login Failed Indicates that login sequence failed. 3
Privilege Escalation Failed Indicates that the privileged escalation 3
failed.
Privilege Escalation Indicates that the privilege escalation 1
Succeeded succeeded.
Mail Service Login Indicates that the mail service login 1
Mail Service Login Failed Indicates that the mail service login 3
failed.
Auth Server Login Failed Indicates that the authentication server 3
login failed.

Authentication 361
Table E-4 Authentication Categories (continued)

Auth Server Login Indicates that the authentication server 1
Succeeded login succeeded.
Web Service Login Indicates that the web service login 1
Web Service Login Failed Indicates that the web service login 3
failed.
Admin Login Successful Indicates an administrative login has 1
been successful.
Admin Login Failure Indicates the administrative login failed. 3
Suspicious Username Indicates that a user attempted to 4
access the network using an incorrect
username.
Login with username/ Indicates that a user accessed the 4
password defaults network using the default username
successful and password.
Login with username/ Indicates that a user has been 4
password defaults failed unsuccessful accessing the network
using the default username and
password.
FTP Login Succeeded Indicates that the FTP login has been 1
successful.
FTP Login Failed Indicates that the FTP login failed. 3
SSH Login Succeeded Indicates that the SSH login has been 1
successful.
SSH Login Failed Indicates that the SSH login failed. 2
User Right Assigned Indicates that user access to network 1
resources has been successfully
granted.
User Right Removed Indicates that user access to network 1
resources has been successfully
removed.
Trusted Domain Added Indicates that a trusted domain has 1
been successfully added to your
deployment.
Trusted Domain Removed Indicates that a trusted domain has 1
been removed from your deployment.
System Security Access Indicates that system security access 1
Granted has been successfully granted.
System Security Access Indicates that system security access 1
Removed has been successfully removed.
Policy Added Indicates that a policy has been 1
successfully added.


Policy Change Indicates that a policy has been 1
successfully changed.
User Account Added Indicates that a user account has been 1
successfully added.
User Account Changed Indicates a change to an existing user 1
account.
Password Change Failed Indicates that an attempt to change an 3
existing password failed.
Password Change Indicates that a password change has 1
Succeeded been successful.
User Account Removed Indicates that a user account has been 1
successfully removed.
Group Member Added Indicates that a group member has 1
been successfully added.
Group Member Removed Indicates that a group member has 1
been removed.
Group Added Indicates that a group has been 1
successfully added.
Group Changed Indicates a change to an existing 1
group.
Group Removed Indicates a group has been removed. 1
Computer Account Added Indicates a computer account has been 1
successfully added.
Computer Account Indicates a change to an existing 1
Changed computer account.
Computer Account Indicates a computer account has been 1
Removed successfully removed.
Remote Access Login Indicates that access to the network 1
Succeeded using a remote login has been
successful.
Remote Access Login Indicates that an attempt to access the 3
Failed network using a remote login failed.
General Authentication Indicates that the authentication 1
Successful processes has been successful.
General Authentication Indicates that the authentication 3
Failed process failed.
Telnet Login Succeeded Indicates that the telnet login has been 1
successful.
Telnet Login Failed Indicates that the telnet login failed. 3
Suspicious Password Indicates that a user attempted to login 4
using a suspicious password.

Authentication 363

Samba Login Successful Indicates a user successfully logged in 1
using Samba.
Samba Login Failed Indicates user login failed using 3
Samba.
Auth Server Session Indicates that a communication session 1
Opened with the authentication server has been
started.
Auth Server Session Indicates that a communication session 1
Closed with the authentication server has been
closed.
Firewall Session Closed Indicates that a firewall session has 1
been closed.
Host Logout Indicates that a host successfully 1
logged out.
Misc Logout Indicates that a user successfully 1
logged out.
Auth Server Logout Indicates that the process to log out of 1
the authentication server has been
successful.
Web Service Logout Indicates that the process to log out of 1
the web service has been successful.
Admin Logout Indicates that the administrative user 1
successfully logged out.
FTP Logout Indicates that the process to log out of 1
the FTP service has been successful.
SSH Logout Indicates that the process to log out of 1
the SSH session has been successful.
Remote Access Logout Indicates that the process to log out 1
using remote access has been
successful.
Telnet Logout Indicates that the process to log out of 1
the Telnet session has been
successful.
Samba Logout Indicates that the process to log out of 1
Samba has been successful.
SSH Session Started Indicates that the SSH login session 1
has been initiated on a host.
SSH Session Finished Indicates the termination of an SSH 1
login session on a host.
Admin Session Started Indicates that a login session has been 1
initiated on a host by an administrative
or privileged user.


Admin Session Finished Indicates the termination of an 1
administrator or privileged users login
session on a host.
VoIP Login Succeeded Indicates a successful VoIP service 1
login
VoIP Login Failed Indicates an unsuccessful attempt to 1
access VoIP service.
VoIP Logout Indicates a user logout, 1
VoIP Session Initiated Indicates the beginning of a VoIP 1
session.
VoIP Session Terminated Indicates the end of a VoIP session. 1
Database Login Indicates a successful database login. 1
Succeeded
Database Login Failure Indicates a database login attempt 3
failed.
IKE Authentication Failed Indicates a failed Internet Key 3
Exchange (IKE) authentication has
been detected.
IKE Authentication Indicates a successful IKE 1
Succeeded authentication has been detected.
IKE Session Started Indicates an IKE session started. 1
IKE Session Ended Indicates an IKE session ended. 1
IKE Error Indicates an IKE error message. 1
IKE Status Indicates IKE status message. 1
RADIUS Session Started Indicates a RADIUS session started. 1
RADIUS Session Ended Indicates a RADIUS session ended. 1
RADIUS Session Denied Indicates a RADIUS session has been 1
denied.
RADIUS Session Status Indicates a RADIUS session status 1
message.
RADIUS Authentication Indicates a RADIUS authentication 3
Failed failure.
RADIUS Authentication Indicates a RADIUS authentication 1
Successful succeeded.
TACACS Session Started Indicates a TACACS session started. 1
TACACS Session Ended Indicates a TACACS session ended. 1
TACACS Session Denied Indicates a TACACS session has been 1
denied.
TACACS Session Status Indicates a TACACS session status 1
message.

Authentication 365

TACACS Authentication Indicates a TACACS authentication 1
Successful succeeded.
TACACS Authentication Indicates a TACACS authentication 1
Failed failure.
Deauthenticating Host Indicates that the deauthentication of a 1
Succeeded host has been successful.
Deauthenticating Host Indicates that the deauthentication of a 3
Failed host failed.
Station Authentication Indicates that the station authentication 1
Succeeded has been successful.
Station Authentication Indicates that the station authentication 3
Failed of a host failed.
Station Association Indicates that the station association 1
Station Association Failed Indicates that the station association 3
failed.
Station Reassociation Indicates that the station reassociation 1
Station Reassociation Indicates that the station association 3
Failed failed.
Disassociating Host Indicates that the disassociating a host 1
Disassociating Host Failed Indicates that the disassociating a host 3
failed.
SA Error Indicates a Security Association (SA) 5
error message.
SA Creation Failure Indicates a Security Association (SA) 3
creation failure.
SA Established Indicates that a Security Association 1
(SA) connection established.
SA Rejected Indicates that a Security Association 3
(SA) connection rejected.
Deleting SA Indicates the deletion of a Security 1
Association (SA).
Creating SA Indicates the creation of a Security 1
Association (SA).
Certificate Mismatch Indicates a certificate mismatch. 3
Credentials Mismatch Indicates a credentials mismatch. 3
Admin Login Attempt Indicates an admin login attempt. 2
User Login Attempt Indicates a user login attempt. 2
User Login Successful Indicates a successful user login. 1


User Login Failure Indicates a failed user login. 3
Access The access category indicates authentication and access controls for monitoring
network events. The associated low-level event categories include:
Table E-5 Access Categories

Unknown Network Indicates an unknown network 3
Communication Event communication event.
Firewall Permit Indicates access to the firewall has 0
been permitted.
Firewall Deny Indicates access to the firewall has 4
been denied.
Flow Context Response Indicates events from the Classification 5
Engine in response to a SIM request.
Misc Network Indicates a miscellaneous 3
Communication Event communications event.
IPS Deny Indicates Intrusion Prevention Systems 4
(IPS) denied traffic.
Firewall Session Opened Indicates the firewall session has been 0
opened.
Firewall Session Closed Indicates the firewall session has been 0
closed.
Dynamic Address Indicates that dynamic address 0
Translation Successful translation has been successful.
No Translation Group Indicates that no translation group has 2
Found been found.
Misc Authorization Indicates that access has been granted 2
to a miscellaneous authentication
server.
ACL Permit Indicates that an Access Control List 0
(ACL) permitted access.
ACL Deny Indicates that an Access Control List 4
(ACL) denied access.
Access Permitted Indicates that access has been 0
permitted.
Access Denied Indicates that access has been denied. 4
Session Opened Indicates that a session has been 1
opened

Access 367
Table E-5 Access Categories (continued)

Session Closed Indicates that a session has been 1
closed.
Session Reset Indicates that a session has been 3
reset.
Session Terminated Indicates that a session has been 4
terminated.
Session Denied Indicates that a session has been 5
denied.
Session in Progress Indicates that a session is currently in 1
progress.
Session Delayed Indicates that a session has been 3
delayed.
Session Queued Indicates that a session has been 1
queued.
Session Inbound Indicates that a session is inbound. 1
Session Outbound Indicates that a session is outbound. 1
Unauthorized Access Indicates that an unauthorized access 6
Attempt attempt has been detected
Misc Application Action Indicates that an application action has 1
Allowed been permitted
Misc Application Action Indicates that an application action has 3
Denied been denied
Database Action Allowed Indicates that a database action has 1
been permitted.
Database Action Denied Indicates that a database action has 3
been denied.
FTP Action Allowed Indicates that a FTP action has been 1
permitted.
FTP Action Denied Indicates that a FTP action has been 3
denied.
Object Cached Indicates an object cached. 1
Object Not Cached Indicates an object not cached. 1
Rate Limiting Indicates that the network is rate 4
limiting traffic.
No Rate Limiting Indicates that the network is not rate 0
limiting traffic.

Exploit The exploit category indicates events where a communication or access has
occurred. The associated low-level event categories include:
Table E-6 Exploit Categories

Unknown Exploit Attack Indicates an unknown exploit attack. 9
Buffer Overflow Indicates a buffer overflow. 9
DNS Exploit Indicates a DNS exploit. 9
Telnet Exploit Indicates a Telnet exploit. 9
Linux Exploit Indicates a Linux exploit. 9
Unix Exploit Indicates a Unix exploit. 9
Windows Exploit Indicates a Windows exploit. 9
Mail Exploit Indicates a mail server exploit. 9
Infrastructure Exploit Indicates an infrastructure exploit. 9
Misc Exploit Indicates a miscellaneous exploit. 9
Web Exploit Indicates a web exploit. 9
Session Hijack Indicates a session in your network has 9
been interceded.
Worm Active Indicates an active worm. 10
Password Guess/Retrieve Indicates that a user has requested 9
access to their password information
from the database.
FTP Exploit Indicates an FTP exploit. 9
RPC Exploit Indicates an RPC exploit. 9
SNMP Exploit Indicates an SNMP exploit. 9
NOOP Exploit Indicates an NOOP exploit. 9
Samba Exploit Indicates an Samba exploit. 9
Database Exploit Indicates a database exploit. 9
SSH Exploit Indicates an SSH exploit. 9
ICMP Exploit Indicates an ICMP exploit. 9
UDP Exploit Indicates a UDP exploit. 9
Browser Exploit Indicates an exploit on your browser. 9
DHCP Exploit Indicates a DHCP exploit 9
Remote Access Exploit Indicates a remote access exploit 9
ActiveX Exploit Indicates an exploit through an ActiveX 9
application.
SQL Injection Indicates that an SQL injection has 9
occurred.

Malware 369
Table E-6 Exploit Categories (continued)

Cross-Site Scripting Indicates a cross-site scripting 9
vulnerability.
Format String Vulnerability Indicates a format string vulnerability. 9
Input Validation Exploit Indicates that an input validation exploit 9
attempt has been detected.
Remote Code Execution Indicates that a remote code execution 9
attempt has been detected.
Memory Corruption Indicates that a memory corruption 9
exploit has been detected.
Command Execution Indicates that a remote command 9
execution attempt has been detected.
Malware The malicious software (malware) category indicates events relating to application
exploits and buffer overflow attempts. The associated low-level event categories
include:
Table E-7 Malware Categories

Unknown Malware Indicates an unknown virus. 4
Backdoor Detected Indicates that a backdoor to the system 9
has been detected.
Hostile Mail Attachment Indicates a hostile mail attachment. 6
Malicious Software Indicates a virus. 6
Hostile Software Download Indicates a hostile software download 6
to your network.
Virus Detected Indicates a virus has been detected. 8
Misc Malware Indicates miscellaneous malicious 4
software
Trojan Detected Indicates a trojan has been detected. 7
Spyware Detected Indicates spyware has been detected 6
on your system.
Content Scan Indicates that an attempted scan of 3
your content has been detected.
Content Scan Failed Indicates that a scan of your content 8
has failed.
Content Scan Successful Indicates that a scan of your content 3
has been successful.
Content Scan in Progress Indicates that a scan of your content is 3
currently in progress.

Table E-7 Malware Categories (continued)

Keylogger Indicates that a key logger has been 7
detected.
Adware Detected Indicates that Ad-Ware has been 4
detected.
Suspicious Activity The suspicious activity category indicates events relating to viruses, trojans, back
door attacks, and other forms of hostile software. The associated low-level event
categories include:
Table E-8 Suspicious Categories

Unknown Suspicious Indicates an unknown suspicious 3
Event event.
Suspicious Pattern Indicates a suspicious pattern has 3
Detected been detected.
Content Modified By Indicates that content has been 3
Firewall modified by the firewall.
Invalid Command or Data Indicates an invalid command or data. 3
Suspicious Packet Indicates a suspicious packet. 3
Suspicious Activity Indicates suspicious activity. 3
Suspicious File Name Indicates a suspicious file name. 3
Suspicious Port Activity Indicates suspicious port activity. 3
Suspicious Routing Indicates suspicious routing. 3
Potential Web Vulnerability Indicates potential web vulnerability. 3
Unknown Evasion Event Indicates an unknown evasion event. 5
IP Spoof Indicates an IP spoof. 5
IP Fragmentation Indicates IP fragmentation. 3
Overlapping IP Fragments Indicates overlapping IP fragments. 5
IDS Evasion Indicates an IDS evasion. 5
DNS Protocol Anomaly Indicates a DNS protocol anomaly. 3
FTP Protocol Anomaly Indicates an FTP protocol anomaly. 3
Mail Protocol Anomaly Indicates a mail protocol anomaly. 3
Routing Protocol Anomaly Indicates a routing protocol anomaly. 3
Web Protocol Anomaly Indicates a web protocol anomaly. 3
SQL Protocol Anomaly Indicates an SQL protocol anomaly. 3

Suspicious Activity 371
Table E-8 Suspicious Categories (continued)

Executable Code Detected Indicates that an executable code has 5
been detected.
Misc Suspicious Event Indicates a miscellaneous suspicious 3
event.
Information Leak Indicates an information leak. 1
Potential Mail Vulnerability Indicates a potential vulnerability in the 4
mail server.
Potential Version Indicates a potential vulnerability in the 4
Vulnerability QRadar version.
Potential FTP Vulnerability Indicates a potential FTP vulnerability. 4
Potential SSH Vulnerability Indicates a potential SSH vulnerability. 4
Potential DNS Vulnerability Indicates a potential vulnerability in the 4
DNS server.
Potential SMB Vulnerability Indicates a potential SMB (Samba) 4
vulnerability.
Potential Database Indicates a potential vulnerability in the 4
Vulnerability database.
IP Protocol Anomaly Indicates a potential IP protocol 3
anomaly
Suspicious IP Address Indicates a suspicious IP address has 2
been detected.
Invalid IP Protocol Usage Indicates an invalid IP protocol misuse. 2
Invalid Protocol Indicates an invalid protocol. 4
Suspicious Window Events Indicates a suspicious event with a 2
screen on your desktop.
Suspicious ICMP Activity Indicates suspicious ICMP activity. 2
Potential NFS Vulnerability Indicates a potential Network File 4
System (NFS) vulnerability.
Potential NNTP Indicates a potential Network News 4
Vulnerability Transfer Protocol (NNTP) vulnerability.
Potential RPC Vulnerability Indicates a potential RPC vulnerability. 4
Potential Telnet Indicates a potential Telnet vulnerability 4
Vulnerability on your system.
Potential SNMP Indicates a potential SNMP 4
Vulnerability vulnerability.
Illegal TCP Flag Indicates an invalid TCP flag 5
Combination combination has been detected.
Suspicious TCP Flag Indicates a potentially invalid TCP flag 4
Combination combination has been detected.


Illegal ICMP Protocol Indicates an invalid use of the ICMP 5
Usage protocol has been detected.
Suspicious ICMP Protocol Indicates a potentially invalid use of the 4
Usage ICMP protocol has been detected.
Illegal ICMP Type Indicates an invalid ICMP type has 5
been detected.
Illegal ICMP Code Indicates an invalid ICMP code has 5
been detected.
Suspicious ICMP Type Indicates a potentially invalid ICMP 4
type has been detected.
Suspicious ICMP Code Indicates a potentially invalid ICMP 4
code has been detected.
TCP port 0 Indicates a TCP packet using a 4
reserved port (0) for source or
destination.
UDP port 0 Indicates a UDP packets using a 4
reserved port (0) for source or
destination.
Hostile IP Indicates the use of a known hostile IP 4
address.
Watch list IP Indicates the use of an IP address from 4
a watch list of IP addresses.
Known offender IP Indicates the use of an IP address of a 4
known offender.
RFC 1918 (private) IP Indicates the use of an IP address from 4
a private IP address range.
Potential VoIP Vulnerability Indicates a potential VoIP vulnerability. 4
Blacklist Address Indicates that an IP address is on the 8
black list.
Watchlist Address Indicates that the IP address is on the 7
list of IP addresses being monitored.
Darknet Address Indicates that the IP address is part of a 5
darknet.
Botnet Address Indicates that the address is part of a 7
botnet.
Suspicious Address Indicates that the IP address should be 5
monitored.
Bad Content Indicates bad content has been 7
detected.
Invalid Cert Indicates an invalid certificate has been 7
detected.

System 373

User Activity Indicates that user activity has been 7
detected.
Suspicious Protocol Usage Indicates suspicious protocol usage 5
has been detected.
Suspicious BGP Activity Indicates that suspicious Border 5
Gateway Protocol (BGP) usage has
been detected.
Route Poisoning Indicates that route corruption has 5
been detected.
ARP Poisoning Indicates that ARP-cache poisoning 5
has been detected.
Rogue Device Detected Indicates a rogue device has been 5
detected.
System The system category indicates events relating to system changes, software
installation, or status messages. The associated low-level event categories
include:
Table E-9 System Categories

Unknown System Event Indicates an unknown system event. 1
System Boot Indicates a system boot. 1
System Configuration Indicates a change in the system 1
configuration.
System Halt Indicates the system has been halted. 1
System Failure Indicates a system failure. 6
System Status Indicates any information event. 1
System Error Indicates a system error. 3
Misc System Event Indicates a miscellaneous system 1
event.
Service Started Indicates system services have started. 1
Service Stopped Indicates system services have 1
stopped.
Service Failure Indicates a system failure. 6
Successful Registry Indicates that a modification to the 1
Modification registry has been successful.
Successful Host-Policy Indicates that a modification to the host 1
Modification policy has been successful.

Table E-9 System Categories (continued)

Successful File Indicates that a modification to a file 1
Modification has been successful.
Successful Stack Indicates that a modification to the 1
Modification stack has been successful.
Successful Application Indicates that a modification to the 1
Modification application has been successful.
Successful Configuration Indicates that a modification to the 1
Modification configuration has been successful.
Successful Service Indicates that a modification to a 1
Modification service has been successful.
Failed Registry Indicates that a modification to the 1
Modification registry has failed.
Failed Host-Policy Indicates that a modification to the host 1
Modification policy has failed.
Failed File Modification Indicates that a modification to a file 1
has failed.
Failed Stack Modification Indicates that a modification to the 1
stack has failed.
Failed Application Indicates that a modification to an 1
Modification application has failed.
Failed Configuration Indicates that a modification to the 1
Modification configuration has failed.
Failed Service Modification Indicates that a modification to the 1
service has failed.
Registry Addition Indicates that an new item has been 1
added to the registry.
Host-Policy Created Indicates that a new entry has been 1
added to the registry.
File Created Indicates that a new has been created 1
in the system.
Application Installed Indicates that a new application has 1
been installed on the system.
Service Installed Indicates that a new service has been 1
installed on the system.
Registry Deletion Indicates that a registry entry has been 1
deleted.
Host-Policy Deleted Indicates that a host policy entry has 1
been deleted.
File Deleted Indicates that a file has been deleted. 1
Application Uninstalled Indicates that an application has been 1
uninstalled.

System 375

Service Uninstalled Indicates that a service has been 1
uninstalled.
System Informational Indicates system information. 3
System Action Allow Indicates that an attempted action on 3
the system has been authorized.
System Action Deny Indicates that an attempted action on 4
the system has been denied.
Cron Indicates a crontab message. 1
Cron Status Indicates a crontab status message. 1
Cron Failed Indicates a crontab failure message. 4
Cron Successful Indicates a crontab success message. 1
Daemon Indicates a daemon message. 1
Daemon Status Indicates a daemon status message. 1
Daemon Failed Indicates a daemon failure message. 4
Daemon Successful Indicates a daemon success message. 1
Kernel Indicates a kernel message. 1
Kernel Status Indicates a kernel status message. 1
Kernel Failed Indicates a kernel failure message.
Kernel Successful Indicates a kernel successful message. 1
Authentication Indicates an authentication message. 1
Information Indicates an informational message. 2
Notice Indicates a notice message. 3
Warning Indicates a warning message. 5
Error Indicates an error message. 7
Critical Indicates a critical message. 9
Debug Indicates a debug message. 1
Messages Indicates a generic message. 1
Privilege Access Indicates that privilege access has 3
been attempted.
Alert Indicates an alert message. 9
Emergency Indicates an emergency message. 9
SNMP Status Indicates an SNMP status message. 1
FTP Status Indicates an FTP status message. 1
NTP Status Indicates an NTP status message. 1
Access Point Radio Failure Indicates an access point radio failure. 3


Encryption Protocol Indicates an encryption protocol 3
Configuration Mismatch configuration mismatch.
Client Device or Indicates a client device or 5
Authentication Server authentication server has been not
Misconfigured configured properly.
Hot Standby Enable Failed Indicates a hot standby enable failure. 5
Hot Standby Disable Indicates a hot standby disable failure. 5
Failed
Hot Standby Enabled Indicates hot standby has been 1
Successfully enabled successfully.
Hot Standby Association Indicates a hot standby association has 5
Lost been lost.
MainMode Initiation Failure Indicates MainMode initiation failure. 5
MainMode Initiation Indicates that the MainMode initiation 1
MainMode Status Indicates a MainMode status message 1
has been reported.
QuickMode Initiation Indicates that the QuickMode initiation 5
Failure failed.
Quickmode Initiation Indicates that the QuickMode initiation 1
Quickmode Status Indicates a QuickMode status message 1
has been reported.
Invalid License Indicates an invalid license. 3
License Expired Indicates an expired license. 3
New License Applied Indicates a new license applied. 1
License Error Indicates a license error. 5
License Status Indicates a license status message. 1
Configuration Error Indicates that a configuration error has 5
been detected.
Service Disruption Indicates that a service disruption has 5
been detected.
License Exceeded Indicates that the license capabilities 3
have been exceeded.
Performance Status Indicates that the performance status 1
has been reported.
Performance Degradation Indicates that the performance is being 4
degraded.
Misconfiguration Indicates that a incorrect configuration 5
has been detected.

Policy 377
Policy The policy category indicates events relating to administration of network policy
and the monitoring network resources for policy violations. The associated
low-level event categories include:
Table E-10 Policy Categories

Unknown Policy Violation Indicates an unknown policy violation. 2
Web Policy Violation Indicates a web policy violation. 2
Remote Access Policy Indicates a remote access policy 2
Violation violation.
IRC/IM Policy Violation Indicates an instant messenger policy 2
violation.
P2P Policy Violation Indicates a Peer-to-Peer (P2P) policy 2
violation.
IP Access Policy Violation Indicates an IP access policy violation. 2
Application Policy Violation Indicates an application policy violation. 2
Database Policy Violation Indicates a database policy violation. 2
Network Threshold Policy Indicates a network threshold policy 2
Violation violation.
Porn Policy Violation Indicates a porn policy violation. 2
Games Policy Violation Indicates a games policy violation. 2
Misc Policy Violation Indicates a miscellaneous policy 2
violation.
Compliance Policy Indicates a compliance policy violation. 2
Violation
Mail Policy Violation Indicates a mail policy violation. 2
IRC Policy Violation Indicates an IRC policy violation 2
IM Policy Violation Indicates a policy violation related to 2
instant messaging (IM) activities.
VoIP Policy Violation Indicates a VoIP policy violation 2
Succeeded Indicates a policy successful message. 1
Failed Indicates a policy failure message. 4

CRE The CRE category indicates events generated from a custom offense, flow or
event rule. The associated low-level event categories include:
Table E-11 CRE Category

Unknown CRE Event Indicates an unknown custom rules 5
engine event.
Single Event Rule Match Indicates a single event rule match. 5
Event Sequence Rule Indicates an event sequence rule 5
Match match.
Cross-Offense Event Indicates a cross-offense event 5
Sequence Rule Match sequence rule match.
Offense Rule Match Indicates an offense rule match. 5
Potential Exploit The Potential Exploit category indicates events relating to potential application
exploits and buffer overflow attempts. The associated low-level event categories
include:
Table E-12 Potential Exploit Category

Unknown Potential Exploit Indicates a potential exploitative attack 7
Attack has been detected.
Potential Buffer Overflow Indicates a potential buffer overflow 7
has been detected.
Potential DNS Exploit Indicates a potentially exploitative 7
attack through the DNS server has
been detected.
Potential Telnet Exploit Indicates a potentially exploitative 7
attack through Telnet has been
detected.
Potential Linux Exploit Indicates a potentially exploitative 7
attack through Linux has been
detected.
Potential Unix Exploit Indicates a potentially exploitative 7
attack through Unix has been detected.
Potential Windows Exploit Indicates a potentially exploitative 7
attack through Windows has been
detected.
Potential Mail Exploit Indicates a potentially exploitative 7
attack through mail has been detected.

SIM Audit 379
Table E-12 Potential Exploit Category (continued)

Potential Infrastructure Indicates a potential exploitative attack 7
Exploit on the system infrastructure has been
detected.
Potential Misc Exploit Indicates a potentially exploitative 7
attack has been detected.
Potential Web Exploit Indicates a potentially exploitative 7
attack through the web has been
detected.
Potential Botnet Indicates a potentially exploitative 6
connection attack using Botnet has been detected.
Potential worm activity Indicates a potentially exploitive attack 6
using worm activity has been detected.
SIM Audit The SIM Audit events category indicates events related to user interaction with the
Console and administrative functionality . User login and configuration changes will
generate events that are sent to the Event Collector, which correlates with other
security events from the network. The associated low-level event categories
include:
Table E-13 SIM Audit Event Category

SIM User Authentication Indicates a user login or logout on the 5
Console.
SIM Configuration Change Indicates that a user has made a 3
change to the SIM configuration or
deployment.
SIM User Action Indicates that a user has initiated a 3
process in the SIM module. This may
include starting a backup process or
generated a report.
Session Created Indicates a user session has been 3
created.
Session Destroyed Indicates a user session has been 3
destroyed.
Admin Session Created Indicates an admin session has been
created.
Admin Session Destroyed Indicates an admin session has been 3
destroyed.
Session Authentication Indicates an invalid session 5
Invalid authentication.

Table E-13 SIM Audit Event Category (continued)

Session Authentication Indicates a session authentication 3
Expired expired.
VIS Host Discovery When the VIS component discovers and stores new hosts, ports, or vulnerabilities
detected on the network, the VIS component generates events. These events are
sent to the Event Collector to be correlated with other security events.
The associated low-level event categories include:

Table E-14 VIS Host Discovery Category

New Host Discovered Indicates that the VIS component has 3
detected a new host.
New Port Discovered Indicates that the VIS component has 3
detected a new open port.
New Vuln Discovered Indicates that the VIS component has 3
detected a new vulnerability.
New OS Discovered Indicates that the VIS component has 3
detected a new operating system on a
host.
Bulk Host Discovered Indicates that the VIS component has 3
detected many new hosts in a short
period of time.
Application The Application category indicates events relating to application activity, such as
e-mail or FTP activity. The associated low-level event categories include:
Table E-15 Application Category

Mail Opened Indicates that an e-mail connection has 1
been established.
Mail Closed Indicates that an e-mail connection has 1
been closed.
Mail Reset Indicates that an e-mail connection has 3
been reset.
Mail Terminated Indicates that an e-mail connection has 4
been terminated.

Application 381
Table E-15 Application Category (continued)

Mail Denied Indicates that an e-mail connection has 4
been denied.
Mail in Progress Indicates that an e-mail connection is 1
being attempted.
Mail Delayed Indicates that an e-mail connection has 4
been delayed.
Mail Queued Indicates that an e-mail connection has 3
been queued.
Mail Redirected Indicates that an e-mail connection has 1
been redirected.
FTP Opened Indicates that an FTP connection has 1
been opened.
FTP Closed Indicates that an FTP connection has 1
been closed.
FTP Reset Indicates that an FTP connection has 3
been reset.
FTP Terminated Indicates that an FTP connection has 4
been terminated.
FTP Denied Indicates that an FTP connection has 4
been denied.
FTP In Progress Indicates that an FTP connection is 1
FTP Redirected Indicates that an FTP connection has 3
been redirected.
HTTP Opened Indicates that an HTTP connection has 1
been established.
HTTP Closed Indicates that an HTTP connection has 1
been closed.
HTTP Reset Indicates that an HTTP connection has 3
been reset.
HTTP Terminated Indicates that an HTTP connection has 4
been terminated.
HTTP Denied Indicates that an HTTP connection has 4
been denied.
HTTP In Progress Indicates that an HTTP connection is 1
HTTP Delayed Indicates that an HTTP connection has 3
been delayed.
HTTP Queued Indicates that an HTTP connection has 1
been queued.


HTTP Redirected Indicates that an HTTP connection has 1
been redirected.
HTTP Proxy Indicates that an HTTP connection is 1
being proxied.
HTTPS Opened Indicates that an HTTPS connection 1
has been established.
HTTPS Closed Indicates that an HTTPS connection 1
has been closed.
HTTPS Reset Indicates that an HTTPS connection 3
has been reset.
HTTPS Terminated Indicates that an HTTPS connection 4
has been terminated.
HTTPS Denied Indicates that an HTTPS connection 4
has been denied.
HTTPS In Progress Indicates that an HTTPS connection is 1
HTTPS Delayed Indicates that an HTTPS connection 3
has been delayed.
HTTPS Queued Indicates that an HTTPS connection 3
has been queued.
HTTPS Redirected Indicates that an HTTPS connection 3
has been redirected.
HTTPS Proxy Indicates that an HTTPS connection is 1
proxied.
SSH Opened Indicates than an SSH connection has 1
been established.
SSH Closed Indicates that an SSH connection has 1
been closed.
SSH Reset Indicates that an SSH connection has 3
been reset.
SSH Terminated Indicates that an SSH connection has 4
been terminated.
SSH Denied Indicates that an SSH session has 4
been denied.
SSH In Progress Indicates that an SSH session is 1
RemoteAccess Opened Indicates that a remote access 1
connection has been established.
RemoteAccess Closed Indicates that a remote access 1
connection has been closed.

Application 383

RemoteAccess Reset Indicates that a remote access 3
connection has been reset.
RemoteAccess Indicates that a remote access 4
Terminated connection has been terminated.
RemoteAccess Denied Indicates that a remote access 4
connection has been denied.
RemoteAccess In Indicates that a remote access 1
Progress connection is currently in progress.
RemoteAccess Delayed Indicates that a remote access 3
connection has been delayed.
RemoteAccess Redirected Indicates that a remote access 3
connection has been redirected.
VPN Opened Indicates that a VPN connection has 1
been opened.
VPN Closed Indicates that a VPN connection has 1
been closed.
VPN Reset Indicates that a VPN connection has 3
been reset.
VPN Terminated Indicates that a VPN connection has 4
been terminated.
VPN Denied Indicates that a VPN connection has 4
been denied.
VPN In Progress Indicates that a VPN connection is 1
VPN Delayed Indicates that a VPN connection has 3
been delayed
VPN Queued Indicates that a VPN connection has 3
been queued.
VPN Redirected Indicates that a VPN connection has 3
been redirected.
RDP Opened Indicates that an RDP connection has 1
been established.
RDP Closed Indicates that an RDP connection has 1
been closed.
RDP Reset Indicates that an RDP connection has 3
been reset.
RDP Terminated Indicates that an RDP connection has 4
been terminated.
RDP Denied Indicates that an RDP connection has 4
been denied.


RDP In Progress Indicates that an RDP connection is 1
RDP Redirected Indicates that an RDP connection has 3
been redirected.
FileTransfer Opened Indicates that a file transfer connection 1
FileTransfer Closed Indicates that a file transfer connection 1
has been closed.
FileTransfer Reset Indicates that a file transfer connection 3
has been reset.
FileTransfer Terminated Indicates that a file transfer connection 4
FileTransfer Denied Indicates that a file transfer connection 4
has been denied.
FileTransfer In Progress Indicates that a file transfer connection 1
is currently in progress.
FileTransfer Delayed Indicates that a file transfer connection 3
has been delayed.
FileTransfer Queued Indicates that a file transfer connection 3
has been queued.
FileTransfer Redirected Indicates that a file transfer connection 3
DNS Opened Indicates that a DNS connection has 1
been established.
DNS Closed Indicates that a DNS connection has 1
been closed.
DNS Reset Indicates that a DNS connection has 5
been reset.
DNS Terminated Indicates that a DNS connection has 5
been terminated.
DNS Denied Indicates that a DNS connection has 5
been denied.
DNS In Progress Indicates that a DNS connection is 1
DNS Delayed Indicates that a DNS connection has 5
been delayed.
DNS Redirected Indicates that a DNS connection has 4
been redirected.
Chat Opened Indicates that a chat connection has 1
been opened.

Application 385

Chat Closed Indicates that a chat connection has 1
been closed.
Chat Reset Indicates that a chat connection has 3
been reset.
Chat Terminated Indicates that a chat connection has 3
been terminated.
Chat Denied Indicates that a chat connection has 3
been denied.
Chat In Progress Indicates that a chat connection is 1
Chat Redirected Indicates that a chat connection has 1
been redirected.
Database Opened Indicates that a database connection 1
Database Closed Indicates that a database connection 1
has been closed.
Database Reset Indicates that a database connection 5
has been reset.
Database Terminated Indicates that a database connection 5
Database Denied Indicates that a database connection 5
has been denied.
Database In Progress Indicates that a database connection is 1
Database Redirected Indicates that a database connection 3
SMTP Opened Indicates that an SMTP connection has 1
been established.
SMTP Closed Indicates that an SMTP connection has 1
been closed.
SMTP Reset Indicates that an SMTP connection has 3
been reset.
SMTP Terminated Indicates that an SMTP connection has 5
been terminated.
SMTP Denied Indicates that an SMTP connection has 5
been denied.
SMTP In Progress Indicates that an SMTP connection is 1
SMTP Delayed Indicates that an SMTP connection has 3
been delayed.


SMTP Queued Indicates that an SMTP connection has 3
been queued.
SMTP Redirected Indicates that an SMTP connection has 3
been redirected.
Auth Opened Indicates that an authorization server 1
Auth Closed Indicates that an authorization server 1
connection has been closed.
Auth Reset Indicates that an authorization server 3
connection has been reset.
Auth Terminated Indicates that an authorization server 4
connection has been terminated.
Auth Denied Indicates that an authorization server 4
connection has been denied.
Auth In Progress Indicates that an authorization server 1
connection is currently in progress.
Auth Delayed Indicates that an authorization server 3
connection has been delayed.
Auth Queued Indicates that an authorization server 3
connection has been queued.
Auth Redirected Indicates that an authorization server 2
connection has been redirected.
P2P Opened Indicates that a Peer-to-Peer (P2P) 1
P2P Closed Indicates that a P2P connection has 1
been closed.
P2P Reset Indicates that a P2P connection has 4
been reset.
P2P Terminated Indicates that a P2P connection has 4
been terminated.
P2P Denied Indicates that a P2P connection has 3
been denied.
P2P In Progress Indicates that a P2P connection is 1
Web Opened Indicates that a web connection has 1
been established.
Web Closed Indicates that a web connection has 1
been closed.
Web Reset Indicates that a web connection has 4
been reset.

Application 387

Web Terminated Indicates that a web connection has 4
been terminated.
Web Denied Indicates that a web connection has 4
been denied.
Web In Progress Indicates that a web connection is 1
Web Delayed Indicates that a web connection has 3
been delayed.
Web Queued Indicates that a web connection has 1
been queued.
Web Redirected Indicates that a web connection has 1
been redirected.
Web Proxy Indicates that a web connection has 1
been proxied.
VoIP Opened Indicates that a Voice Over IP (VoIP) 1
VoIP Closed Indicates that a VoIP connection has 1
been closed.
VoIP Reset Indicates that a VoIP connection has 3
been reset.
VoIP Terminated Indicates that a VoIP connection has 3
been terminated.
VoIP Denied Indicates that a VoIP connection has 3
been denied.
VoIP In Progress Indicates that a VoIP connection is 1
VoIP Delayed Indicates that a VoIP connection has 3
been delayed.
VoIP Redirected Indicates that a VoIP connection has 3
been redirected.
LDAP Session Started Indicates a LDAP session has started. 1
LDAP Session Ended Indicates a LDAP session has ended. 1
LDAP Session Denied Indicates a LDAP session has been 3
denied.
LDAP Session Status Indicates a LDAP session status 1
message has been reported.
LDAP Authentication Indicates a LDAP authentication has 4
Failed failed.
LDAP Authentication Indicates a LDAP authentication has 1
Succeeded been successful.


AAA Session Started Indicates that an Authentication, 1
Authorization and Accounting (AAA)
session has started.
AAA Session Ended Indicates that an AAA session has 1
ended.
AAA Session Denied Indicates that an AAA session has 3
been denied.
AAA Session Status Indicates that an AAA session status 1
AAA Authentication Failed Indicates that an AAA authentication 4
has failed.
AAA Authentication Indicates that an AAA authentication 1
IPSEC Authentication Indicates that an Internet Protocol 4
Failed Security (IPSEC) authentication has
failed.
IPSEC Authentication Indicates that an IPSEC authentication 1
IPSEC Session Started Indicates that an IPSEC session has 1
started.
IPSEC Session Ended Indicates that an IPSEC session has 1
ended.
IPSEC Error Indicates that an IPSEC error message 5
has been reported.
IPSEC Status Indicates that an IPSEC session status 1
IM Session Opened Indicates that an Instant Messenger 1
(IM) session has been established.
IM Session Closed Indicates that an IM session has been 1
closed.
IM Session Reset Indicates that an IM session has been 3
reset.
IM Session Terminated Indicates that an IM session has been 3
terminated.
IM Session Denied Indicates that an IM session has been 3
denied.
IM Session In Progress Indicates that an IM session is in 1
progress.
IM Session Delayed Indicates that an IM session has been 3
delayed
IM Session Redirected Indicates that an IM session has been 3
redirected.

Application 389

WHOIS Session Opened Indicates that a WHOIS session has 1
been established.
WHOIS Session Closed Indicates that a WHOIS session has 1
been closed.
WHOIS Session Reset Indicates that a WHOIS session has 3
been reset.
WHOIS Session Indicates that a WHOIS session has 3
Terminated been terminated.
WHOIS Session Denied Indicates that a WHOIS session has 3
been denied.
WHOIS Session In Indicates that a WHOIS session is in 1
Progress progress.
WHOIS Session Indicates that a WHOIS session has 3
Redirected been redirected.
Traceroute Session Indicates that a Traceroute session has 1
Opened been established.
Traceroute Session Closed Indicates that a Traceroute session has 1
been closed.
Traceroute Session Indicates that a Traceroute session has 3
Denied been denied.
Traceroute Session In Indicates that a Traceroute session is 1
Progress in progress.
TN3270 Session Opened TN3270 is a terminal emulation 1
program, which is used to connect to
an IBM 3270 terminal. This category
indicates that a TN3270 session has
been established.
TN3270 Session Closed Indicates that a TN3270 session has 1
been closed.
TN3270 Session Reset Indicates that a TN3270 session has 3
been reset.
TN3270 Session Indicates that a TN3270 session has 3
TN3270 Session Denied Indicates that a TN3270 session has 3
been denied.
TN3270 Session In Indicates that a TN3270 session is in 1
Progress progress.
TFTP Session Opened Indicates that a TFTP session has 1
been established.
TFTP Session Closed Indicates that a TFTP session has 1
been closed.


TFTP Session Reset Indicates that a TFTP session has 3
been reset.
TFTP Session Terminated Indicates that a TFTP session has 3
been terminated.
TFTP Session Denied Indicates that a TFTP session has 3
been denied.
TFTP Session In Progress Indicates that a TFTP session is in 1
progress.
Telnet Session Opened Indicates that a Telnet session has 1
been established.
Telnet Session Closed Indicates that a Telnet session has 1
been closed.
Telnet Session Reset Indicates that a Telnet session has 3
been reset.
Telnet Session Terminated Indicates that a Telnet session has 3
been terminated.
Telnet Session Denied Indicates that a Telnet session has 3
been denied.
Telnet Session In Progress Indicates that a Telnet session is in 1
progress.
Syslog Session Opened Indicates that a syslog session has 1
been established.
Syslog Session Closed Indicates that a syslog session has 1
been closed.
Syslog Session Denied Indicates that a syslog session has 3
been denied.
Syslog Session In Indicates that a syslog session is in 1
Progress progress.
SSL Session Opened Indicates that a Secure Socket Layer 1
(SSL) session has been established.
SSL Session Closed Indicates that an SSL session has been 1
closed.
SSL Session Reset Indicates that an SSL session has been 3
reset.
SSL Session Terminated Indicates that an SSL session has been 3
terminated.
SSL Session Denied Indicates that an SSL session has been 3
denied.
SSL Session In Progress Indicates that an SSL session is in 1
progress.

Application 391

SNMP Session Opened Indicates that a Simple Network 1
Management Protocol (SNMP) session
SNMP Session Closed Indicates that an SNMP session has 1
been closed.
SNMP Session Denied Indicates that an SNMP session has 3
been denied.
SNMP Session In Indicates that an SNMP session is in 1
Progress progress.
SMB Session Opened Indicates that a Server Message Block 1
(SMB) session has been established.
SMB Session Closed Indicates that an SMB session has 1
been closed.
SMB Session Reset Indicates that an SMB session has 3
been reset.
SMB Session Terminated Indicates that an SMB session has 3
been terminated.
SMB Session Denied Indicates that an SMB session has 3
been denied.
SMB Session In Progress Indicates that an SMB session is in 1
progress.
Streaming Media Session Indicates that a Streaming Media 1
Opened session has been established.
Closed session has been closed.
Reset session has been reset.
Terminated session has been terminated.
Denied session has been denied.
In Progress session is in progress.
RUSERS Session Opened Indicates that a (Remote Users) 1
RUSERS session has been
established.
RUSERS Session Closed Indicates that a RUSERS session has 1
been closed.
RUSERS Session Denied Indicates that a RUSERS session has 3
been denied.
RUSERS Session In Indicates that a RUSERS session is in 1
Progress progress.


RSH Session Opened Indicates that a Remote Shell (RSH) 1
session has been established.
RSH Session Closed Indicates that an RSH session has 1
been closed.
RSH Session Reset Indicates that an RSH session has 3
been reset.
RSH Session Terminated Indicates that an RSH session has 3
been terminated.
RSH Session Denied Indicates that an RSH session has 3
been denied.
RSH Session In Progress Indicates that an RSH session is in 1
progress.
RLOGIN Session Opened Indicates that a Remote Login 1
(RLOGIN) session has been
established.
RLOGIN Session Closed Indicates that an RLOGIN session has 1
been closed.
RLOGIN Session Reset Indicates that an RLOGIN session has 3
been reset.
RLOGIN Session Indicates that an RLOGIN session has 3
RLOGIN Session Denied Indicates that an RLOGIN session has 3
been denied.
RLOGIN Session In Indicates that an RLOGIN session is in 1
Progress progress.
REXEC Session Opened Indicates that a (Remote Execution) 1
REXEC session has been established.
REXEC Session Closed Indicates that an REXEC session has 1
been closed.
REXEC Session Reset Indicates that an REXEC session has 3
been reset.
REXEC Session Indicates that an REXEC session has 3
REXEC Session Denied Indicates that an REXEC session has 3
been denied.
REXEC Session In Indicates that an REXEC session is in 1
Progress progress.
RPC Session Opened Indicates that a Remote Procedure Call 1
(RPC) session has been established.
RPC Session Closed Indicates that an RPC session has 1
been closed.

Application 393

RPC Session Reset Indicates that an RPC session has 3
been reset.
RPC Session Terminated Indicates that an RPC session has 3
been terminated.
RPC Session Denied Indicates that an RPC session has 3
been denied.
RPC Session In Progress Indicates that an RPC session is in 1
progress.
NTP Session Opened Indicates that a Network Time Protocol 1
(NTP) session has been established.
NTP Session Closed Indicates that an NTP session has 1
been closed.
NTP Session Reset Indicates that an NTP session has 3
been reset.
NTP Session Terminated Indicates that an NTP session has 3
been terminated.
NTP Session Denied Indicates that an NTP session has 3
been denied.
NTP Session In Progress Indicates that an NTP session is in 1
progress.
NNTP Session Opened Indicates that a Network News Transfer 1
Protocol (NNTP) session has been
established.
NNTP Session Closed Indicates that an NNTP session has 1
been closed.
NNTP Session Reset Indicates that an NNTP session has 3
been reset.
NNTP Session Terminated Indicates that an NNTP session has 3
been terminated.
NNTP Session Denied Indicates that an NNTP session has 3
been denied.
NNTP Session In Progress Indicates that an NNTP session is in 1
progress.
NFS Session Opened Indicates that a Network File System 1
(NFS) session has been established.
NFS Session Closed Indicates that an NFS session has 1
been closed.
NFS Session Reset Indicates that an NFS session has 3
been reset.
NFS Session Terminated Indicates that an NFS session has 3
been terminated.


NFS Session Denied Indicates that an NFS session has 3
been denied.
NFS Session In Progress Indicates that an NFS session is in 1
progress.
NCP Session Opened Indicates that a Network Control 1
Program (NCP) session has been
established.
NCP Session Closed Indicates that an NCP session has 1
been closed.
NCP Session Reset Indicates that an NCP session has 3
been reset.
NCP Session Terminated Indicates that an NCP session has 3
been terminated.
NCP Session Denied Indicates that an NCP session has 3
been denied.
NCP Session In Progress Indicates that an NCP session is in 1
progress.
NetBIOS Session Opened Indicates that a NetBIOS session has 1
been established.
NetBIOS Session Closed Indicates that a NetBIOS session has 1
been closed.
NetBIOS Session Reset Indicates that a NetBIOS session has 3
been reset.
NetBIOS Session Indicates that a NetBIOS session has 3
NetBIOS Session Denied Indicates that a NetBIOS session has 3
been denied.
NetBIOS Session In Indicates that a NetBIOS session is in 1
Progress progress.
MODBUS Session Opened Indicates that a MODBUS session has 1
been established.
MODBUS Session Closed Indicates that a MODBUS session has 1
been closed.
MODBUS Session Reset Indicates that a MODBUS session has 3
been reset.
MODBUS Session Indicates that a MODBUS session has 3
MODBUS Session Denied Indicates that a MODBUS session has 3
been denied.
MODBUS Session In Indicates that a MODBUS session is in 1
Progress progress.

Application 395

LPD Session Opened Indicates that a Line Printer Daemon 1
(LPD) session has been established.
LPD Session Closed Indicates that an LPD session has 1
been closed.
LPD Session Reset Indicates that an LPD session has 3
been reset.
LPD Session Terminated Indicates that an LPD session has 3
been terminated.
LPD Session Denied Indicates that an LPD session has 3
been denied.
LPD Session In Progress Indicates that an LPD session is in 1
progress.
Lotus Notes Session Indicates that a Lotus Notes session 1
Opened has been established.
Closed has been closed.
Lotus Notes Session Reset Indicates that a Lotus Notes session 3
has been reset.
Terminated has been terminated.
Denied has been denied.
Lotus Notes Session In Indicates that a Lotus Notes session is 1
Progress in progress.
Kerberos Session Opened Indicates that a Kerberos session has 1
been established.
Kerberos Session Closed Indicates that a Kerberos session has 1
been closed.
Kerberos Session Reset Indicates that a Kerberos session has 3
been reset.
Kerberos Session Indicates that a Kerberos session has 3
Kerberos Session Denied Indicates that a Kerberos session has 3
been denied.
Kerberos Session In Indicates that a Kerberos session is in 1
Progress progress.
IRC Session Opened Indicates that an Internet Relay Chat 1
(IRC) session has been established.
IRC Session Closed Indicates that an IRC session has been 1
closed.


IRC Session Reset Indicates that an IRC session has been 3
reset.
IRC Session Terminated Indicates that an IRC session has been 3
terminated.
IRC Session Denied Indicates that an IRC session has been 3
denied.
IRC Session In Progress Indicates that an IRC session is in 1
progress.
IEC 104 Session Opened Indicates that an IEC 104 session has 1
been established.
IEC 104 Session Closed Indicates that an IEC 104 session has 1
been closed.
IEC 104 Session Reset Indicates that an IEC 104 session has 3
been reset.
IEC 104 Session Indicates that an IEC 104 session has 3
IEC 104 Session Denied Indicates that an IEC 104 session has 3
been denied.
IEC 104 Session In Indicates that an IEC 104 session is in 1
Progress progress.
Ident Session Opened Indicates that a TCP Client Identity 1
Protocol (Ident) session has been
established.
Ident Session Closed Indicates that an Ident session has 1
been closed.
Ident Session Reset Indicates that an Ident session has 3
been reset.
Ident Session Terminated Indicates that an Ident session has 3
been terminated.
Ident Session Denied Indicates that an Ident session has 3
been denied.
Ident Session In Progress Indicates that an Ident session is in 1
progress.
ICCP Session Opened Indicates that an Inter-Control Center 1
Communications Protocol (ICCP)
session has been established.
ICCP Session Closed Indicates that an ICCP session has 1
been closed.
ICCP Session Reset Indicates that an ICCP session has 3
been reset.
ICCP Session Terminated Indicates that an ICCP session has 3
been terminated.

Application 397

ICCP Session Denied Indicates that an ICCP session has 3
been denied.
ICCP Session In Progress Indicates that an ICCP session is in 1
progress.
Groupwise Session Indicates that a Groupwise session has 1
Opened been established.
Groupwise Session Closed Indicates that a Groupwise session has 1
been closed.
Groupwise Session Reset Indicates that a Groupwise session 3
has been reset.
Groupwise Session Indicates that a Groupwise session has 3
Groupwise Session Denied Indicates that a Groupwise session has 3
been denied.
Groupwise Session In Indicates that a Groupwise session is in 1
Progress progress.
Gopher Session Opened Indicates that a Gopher session has 1
been established.
Gopher Session Closed Indicates that a Gopher session has 1
been closed.
Gopher Session Reset Indicates that a Gopher session has 3
been reset.
Gopher Session Indicates that a Gopher session has 3
Gopher Session Denied Indicates that a Gopher session has 3
been denied.
Gopher Session In Indicates that a Gopher session is in 1
Progress progress.
GIOP Session Opened Indicates that a General Inter-ORB 1
Protocol (GIOP) session has been
established.
GIOP Session Closed Indicates that a GIOP session has 1
been closed.
GIOP Session Reset Indicates that a GIOP session has 3
been reset.
GIOP Session Terminated Indicates that a GIOP session has 3
been terminated.
GIOP Session Denied Indicates that a GIOP session has 3
been denied.
GIOP Session In Progress Indicates that a GIOP session is in 1
progress.


Finger Session Opened Indicates that a Finger session has 1
been established.
Finger Session Closed Indicates that a Finger session has 1
been closed.
Finger Session Reset Indicates that a Finger session has 3
been reset.
Finger Session Terminated Indicates that a Finger session has 3
been terminated.
Finger Session Denied Indicates that a Finger session has 3
been denied.
Finger Session In Progress Indicates that a Finger session is in 1
progress.
Echo Session Opened Indicates that an Echo session has 1
been established.
Echo Session Closed Indicates that an Echo session has 1
been closed.
Echo Session Denied Indicates that an Echo session has 3
been denied.
Echo Session In Progress Indicates that an Echo session is in 1
progress.
Remote .NET Session Indicates that a Remote .NET session 1
Opened has been established.
Closed has been closed.
Reset has been reset.
Terminated has been terminated.
Denied has been denied.
Remote .NET Session In Indicates that a Remote .NET session 1
Progress is in progress.
DNP3 Session Opened Indicates that a Distributed Network 1
Proctologic (DNP3) session has been
established.
DNP3 Session Closed Indicates that a DNP3 session has 1
been closed.
DNP3 Session Reset Indicates that a DNP3 session has 3
been reset.
DNP3 Session Terminated Indicates that a DNP3 session has 3
been terminated.

Application 399

DNP3 Session Denied Indicates that a DNP3 session has 3
been denied.
DNP3 Session In Progress Indicates that a DNP3 session is in 1
progress.
Discard Session Opened Indicates that a Discard session has 1
been established.
Discard Session Closed Indicates that a Discard session has 1
been closed.
Discard Session Reset Indicates that a Discard session has 3
been reset.
Discard Session Indicates that a Discard session has 3
Discard Session Denied Indicates that a Discard session has 3
been denied.
Discard Session In Indicates that a Discard session is in 1
Progress progress.
DHCP Session Opened Indicates that a Dynamic Host 1
Configuration Protocol (DHCP) session
DHCP Session Closed Indicates that a DHCP session has 1
been closed.
DHCP Session Denied Indicates that a DHCP session has 3
been denied.
DHCP Session In Progress Indicates that a DHCP session is in 1
progress.
DHCP Success Indicates that a DHCP lease has been 1
successfully obtained
DHCP Failure Indicates that a DHCP lease could not 3
be obtained.
CVS Session Opened Indicates that a Concurrent Versions 1
System (CVS) session has been
established.
CVS Session Closed Indicates that a CVS session has been 1
closed.
CVS Session Reset Indicates that a CVS session has been 3
reset.
CVS Session Terminated Indicates that a CVS session has been 3
terminated.
CVS Session Denied Indicates that a CVS session has been 3
denied.
CVS Session In Progress Indicates that a CVS session is in 1
progress.


CUPS Session Opened Indicates that a Common Unix Printing 1
System (CUPS) session has been
established.
CUPS Session Closed Indicates that a CUPS session has 1
been closed.
CUPS Session Reset Indicates that a CUPS session has 3
been reset.
CUPS Session Terminated Indicates that a CUPS session has 3
been terminated.
CUPS Session Denied Indicates that a CUPS session has 3
been denied.
CUPS Session In Progress Indicates that a CUPS session is in 1
progress.
Chargen Session Started Indicates that a Character Generator 1
(Chargen) session has been started.
Chargen Session Closed Indicates that a Chargen session has 1
been closed.
Chargen Session Reset Indicates that a Chargen session has 3
been reset.
Chargen Session Indicates that a Chargen session has 3
Chargen Session Denied Indicates that a Chargen session has 3
been denied.
Chargen Session In Indicates that a Chargen session is in 1
Progress progress.
Misc VPN Indicates that a miscellaneous VPN 1
session has been detected
DAP Session Started Indicates that a DAP session has been 1
established.
DAP Session Ended Indicates that a DAP session has 1
ended.
DAP Session Denied Indicates that a DAP session has been 3
denied.
DAP Session Status Indicates that a DAP session status 1
request has been made.
DAP Session in Progress Indicates that a DAP session is in 1
progress.
DAP Authentication Failed Indicates that a DAP authentication has 4
failed.
DAP Authentication Indicates that DAP authentication has 1

Audit 401

TOR Session Started Indicates that a TOR session has been 1
established.
TOR Session Closed Indicates that a TOR session has been 1
closed.
TOR Session Reset Indicates that a TOR session has been 3
reset.
TOR Session Terminated Indicates that a TOR session has been 3
terminated.
TOR Session Denied Indicates that a TOR session has been 3
denied.
TOR Session In Progress Indicates that a TOR session is in 1
progress.
Game Session Started Indicates a game session has started. 1
Game Session Closed Indicates a game session has been 1
closed.
Game Session Reset Indicates a game session has been 3
reset.
Game Session Terminated Indicates a game session has been 3
terminated.
Game Session Denied Indicates a game session has been 3
denied.
Game Session In Progress Indicates a game session is in 1
progress.
Admin Login Attempt Indicates that an attempt to log in as an 2
administrative user has been detected.
User Login Attempt Indicates that an attempt to log in as a 2
non-administrative user has been
detected.
Audit The Audit category indicates audit related events. The associated low-level event
categories include:
Table E-16 Audit Categories

General Audit Event Indicates a general audit event has 1
been started.
Built-in Execution Indicates that a built-in audit task has 1
been executed.
Bulk Copy Indicates that a bulk copy of data has 1
been detected.

Table E-16 Audit Categories (continued)

Data Dump Indicates that a data dump has been 1
detected.
Data Import Indicates that a data import has been 1
detected.
Data Selection Indicates that a data selection process 1
has been detected.
Data Truncation Indicates that the data truncation 1
process has been detected.
Data Update Indicates that the data update process 1
has been detected.
Procedure/Trigger Indicates that the database procedure 1
Execution or trigger execution has been detected.
Schema Change Indicates that the schema for a 1
procedure or trigger execution has
been altered.
Risk The Risk category indicates events related to QRadar Risk Manager. The
associated low-level event categories include:
Table E-17 Risk Categories

Compliance Violation Indicates a compliance violation has 5
been detected.
Data Loss Possible Indicates that the possibility of data 5
loss has been detected.
Exposed Vulnerability Indicates that the network or device 9
has an exposed vulnerability.
Fraud Indicates a host or device is 7
susceptible to fraud.
Local Access Vulnerability Indicates that the network or device 7
has local access vulnerability.
Loss of Confidentiality Indicates that a loss of confidentially 5
has been detected.
Mis-Configured Rule Indicates a rule is not configured 3
properly.
Mis-Configured Device Indicates a device on the network is not 3
configured properly.
Mis-Configured Host Indicates a network host is not 3
configured properly.
No Password Indicates no password exists. 7

Risk 403
Table E-17 Risk Categories (continued)

Open Wireless Access Indicates that the network or device 5
has open wireless access.
Policy Exposure Indicates a policy exposure has been 5
detected.
Possible DoS Target Indicates a host or device is a possible 3
DoS target.
Possible DoS Weakness Indicates a host or device has a 3
possible DoS weakness.
Remote Access Indicates that the network or device 9
Vulnerability has a remote access vulnerability.
Un-Encrypted Data Indicates that a host or device is 3
Transfer transmitting data that is not encrypted.
Un-Encrypted Data Store Indicates that the data store is not 3
encrypted.
Weak Authentication Indicates a host or device is 5
susceptible to fraud.
Weak Encryption Indicates that the host or device has 5
weak encryption.

F CONFIGURING FLOW FORWARDING
FROM PRE-7.0 OFF-SITE FLOW
SOURCES
QRadar 7.0 introduced a new flow communication protocol, changing the way
components communicate. We recommend that you upgrade all systems in your
deployment to QRadar 7.0; however, if you do not upgrade systems in your
deployment hosting off-site flow sources, additional configuration is required. You
must add a single flow source configured with the Flow Source type as Pre-7.0
Off-site Flow Source. This enables conversion of flows from pre-7.0 off-site flow
sources to the QRadar 7.0off-site target.
If you subsequently upgrade the off-site flow sources to QRadar 7.0, you must
remove the flow converter and reconfigure flow forwarding from the upgraded
off-site flow sources to the off-site target.
This appendix provides information on configuring flow forwarding from pre-7.0

off-site flow sources including:
• Configuring Flow Forwarding from pre-7.0 Off-site Flow Sources
• Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources
Configuring Flow To configure flow forwarding from off-site flow sources running QRadar 6.3.1 or
Forwarding from earlier to a off-site target running QRadar 7.0, you must:
pre-7.0 Off-site • Add an off-site target on each pre-7.0 off-site flow source. See Adding a
Flow Sources QRadar 7.0 Off-Site Target to a Pre-7.0 Off-Site Flow Source.
• Create pre-7.0 Off-Site Flow Source on the QRadar 7.0 Console. See Creating
a Pre-7.0 0ff-Site Flow Source.
Adding a QRadar 7.0 To add the off-site target to the pre-7.0 off-site flow source(s):
Off-Site Target to a
Pre-7.0 Off-Site Flow
Source
Note: You must repeat this procedure for each pre-7.0 off-site flow source in your
deployment.
Step 1 Log in to the system hosting pre-7.0 off-site flow source.

406 CONFIGURING FLOW FORWARDING FROM PRE-7.0 OFF-SITE FLOW SOURCES
Note: The following steps were documented using QRadar 6.3.1. If you are using
an earlier version, the steps may vary.
Step 2 In the deployment editor, click the Flow View tab.

The Flow View appears.
Step 3 In the Flow Components panel, select the Off-site Target component.
The Name component window appears.
Step 4 Enter a unique name for the off-site target you want to add. The name can be up to
15 characters in length and may include underscores or hyphens. Make sure you
record the assigned name. Click Next.
The flow source/target information window appears.
• Enter a name for the off-site host - Specify the name of the off-site target
host. The name can be up to 15 characters in length and may include
underscores or hyphens.
• Enter the IP address of the server - Specify the IP address of the off-site
target host to which you want to connect.
• Enter port of managed host - Specify the off-site target host port number. For
information about off-site target configuration, see Chapter 8 Using the
Deployment Editor.
• Encrypt traffic from off-site source - Select the check box if you want to
encrypt traffic from an off-site source.
Step 6 Click Next.
The component appears in your Flow View.
Step 8 Select the Flow Processor component.
Step 9 From the menu, select Actions > Add Connection.
An arrow appears in your map.
Step 10 Drag the end of the arrow to the off-site target.
The arrow connects the two components.
Step 11 From the menu, select File > Save to staging.
Now you must access the QRadar 7.0 Console and configure the pre-7.0 off-site
flow source.

Configuring Flow Forwarding from pre-7.0 Off-site Flow Sources 407
Creating a Pre-7.0 Creating a pre-7.0 off-site flow source enables conversion of flows from pre-7.0
0ff-Site Flow Source off-site flow sources to the QRadar 7.0 off-site target.
To create a pre-7.0 off-site flow source on the QRadar 7.0 Console:

Step 1 Log in to the QRadar 7.0 Console.
The Flow Sources window appears.
Step 6 Click Add.
The Add Flow Source window appears.
Table F-1 Add Flow Source Window Parameters
Build from Select the check box if you want to create this flow source using
existing flow an existing flow source as a template. Once the check box is
source selected, use the drop-down list box to select the desired flow
source and click Use as Template.
Flow Source Specify the name of the flow source. We recommend that for an
Name external flow source that is also a physical device, use the device
name as the flow source name. If the flow source is not a physical
device, make sure you use a meaningful name.
Note: Make sure you record the assigned name.
Target Collector Using the drop-down list box, select the Event Collector you want
to use for this flow source.
Flow Source Using the drop-down list box, select Pre-7.0 Off-site Flow
Type Source.
Enable In some networks, traffic is configured to take alternate paths for
Asymmetric inbound and outbound traffic. This is asymmetric routing. Select
Flows the check box is you want to enable asymmetric flows for this flow
source.

Table F-1 Add Flow Source Window Parameters (continued)
Flow Source Specify the address(es) of the off-site flow source host(s) in the
Address following format:
<IP address1>:<port1>[:<cidr1|cidr2|cidr3...>]
[,<IP address2>:<port2>[:<cidr1|cidr2|cidr3...>]
...
Where:
• <IP address> specifies the IP address of the off-site flow source.
This is usually the system in the earlier QRadar deployment running
the Central Flow Processor, for example, your QRadar 1701
appliance.
• <port> is the off-site flow source listen port. On older QRadar
systems, you can display the port number in the deployment editor by
using the right mouse button on the flow processor and selecting
Configure. Typically, the port number is between 32001 and 32010.
• <cidr> is the CIDR range for which you want to request flow traffic.
This is an optional parameter. The default is for all flows to be
forwarded to the off-site target.
For examples of flow source addresses, see Sample Flow
Source Addresses.
Encrypt Traffic Select the check box if you want to encrypt traffic from the flow
From Flow source. The default is clear.
Source
To ensure appropriate access, you must copy the public key
(located at /root/.ssh/id_rsa.pub) from the QRadar 7.0 Console to
the pre-7.0 off-site flow source host (copy the file to
/root/.ssh/authorized_keys).
We also recommend copying the public key from the pre-7.0
off-site flow source host to the QRadar 7.0 Console. This ensures
encryption is maintained after upgrading the pre-7.0 off-site flow
source to QRadar 7.0.
Note: If traffic is encrypted from the flow source, a tunneled
channel is created for each pre-7.0 off-site flow source IP address
and port connected to the Event Collector.
Sample Flow Source Addresses

The following table provides examples of flow source addresses:
Table F-2 Example Pre-7.0 Off-site Flow Source Addresses
Flow Source Address Description

10.10.10.10:32001 QRadar 1701 Flow Processor appliance running
QRadar 6.3.1 software.
10.10.10.11/32001, Distributed QRadar 6.3.0 deployment with two
10.10.10.12/32002 QRadar 1701 Flow Processor appliances.

Reconfiguring Flow Forwarding from an Upgraded Off-site Flow Sources 409
Table F-2 Example Pre-7.0 Off-site Flow Source Addresses (continued)
Flow Source Address Description

10.10.10.10:32001:10.20.0.0/8 QRadar 1701 Flow Processor appliance running
QRadar 6.3.1 software and requesting flows from
the CIDR range of 10.20.0.0/8
Reconfiguring Flow After upgrading your off-site flow sources to QRadar 7.0, flow conversion is no
Forwarding from an longer required. To continue flow forwarding from these upgraded off-site flow
Upgraded Off-site sources, you must:
Flow Sources • Remove the pre-7.0 off-site flow source. See Removing the Pre-7.0 Off-Site
Flow Source.
• Add the off-site target to the off-site flow source(s). See Reconnecting the
Off-site Target.
• Add the off-site source(s) to the off-site target. See Adding the Off-site
Source.
Removing the Pre-7.0 To delete the pre-7.0 off-site flow source:

Off-Site Flow Source
Step 1 Log in to the QRadar 7.0 Console.
Step 6 Select the pre7-0 off-site flow source you want to delete.
Step 8 Click Ok.
Reconnecting the To reconnect the off-site target to off-site flow source(s):

Off-site Target
Note: You must repeat this procedure for each upgraded off-site flow source.
Step 1 Log in to the system hosting the upgraded off-site flow source.


Step 3 In the right panel, reconnect the source Event Collector to the off-site target.
Note: Make sure the event/flow forwarding port is configured correctly for the
off-site target. For information on connecting components, see Chapter 8 Using
the Deployment Editor - Connecting Components.
Adding the Off-site To add the off-site source to off-site target:

Source
Step 1 Log in to the Console.
Step 3 In the left panel, select the Off-site Source component.
Step 4 Enter a unique name for the off-site source you want to add. The name can be up
to 15 characters in length and may include underscores or hyphens. Make sure
you record the assigned name. Click Next.
The Assign Component window appears.
Step 5 From the Select a host drop-down list box, select the off-site flow source from
which you want to forward flows. Click Next.
Note: You must repeat this step for all upgraded off-site flow sources.
The component ready to be added window appears.
The component appears in your Event View.

INDEX
A B
access category 366 backing up your information 84
accumulator backup and recovery
about 94 about 81
retention settings 65 deleting backup archives 83
accumulator retention importing backup archives 82
daily 65 initiating backup 87
hourly 65 managing backup archives 81
admin interface restoring configuration information 88
about 3 scheduling backups 84
using 4 viewing backup archive 81
administrative e-mail address 63 building blocks
administrator role 12 about 161
aeriel database settings 65 editing 192
alert e-mail from address 63
anomaly detection rules
anomaly rules
about 176 C
anomaly tests 343 changes
time threshold tests 344 deploying 5
behavioral rules coalescing events 64
about 177 command line max matched results 66
behavioral tests 345 common rules
time threshold tests 346 about 165
threshold rules common property tests 320
about 177 data/time tests 335
field threshold tests 347 function counter tests 331
time threshold tests 348 function negative tests 337
asset profile query period 64 function sequence tests 323
asset profile reporting interval 64 function simple tests 335
assets role 13 host profile tests 317
asymmetric flows 144 IP/port tests 319
audience 1 network property tests 335
audit log components 124
viewing 353 console settings 72
authentication content capture 126
configuring 20 conventions 1
LDAP 19 CRE category 378
RADIUS 19 custom rules 161
system 19 customer support
TACACS 19 contacting 2
user 19
authentication category 360
authorized services D
about 77 database settings 65
adding 78 delete root mail setting 63
revoking 79 deleting backup archives 83
token 77 deploying changes 5
viewing 77 deployment editor
auto detection 126, 132 about 93
automatic update accessing 95
about 58 creating your deployment 97
on demand 62 event view 98
scheduling 59 QRadar components 124

412 INDEX
requirements 97 firewall access 27

system view 108 flow category 379, 380
toolbar 96 flow configuration 142
using 95 flow rules
device access 27 about 165
device management 30 common property tests 301
discovering servers 195 data/time tests 314
DoS category 358 flow property tests 294
function counter tests 310
function negative tests 316
E function sequence tests 302
encryption 107, 108 function simple tests 314
enterprise template 213 host profile tests 291
default building blocks 232 IP/port tests 293
default rules 213 network property tests 314
event categories 355 flow source
event category correlation about 139
access category 366 adding aliases 148
audit events category 379 adding flow source 142
authentication category 360 deleting aliases 149
CRE category 378 deleting flow source 147
DoS category 358 editing aliases 148
exploit category 368 editing flow source 145
flow category 378, 379, 380 enabling/disabling 146
high-level categories 356 external 139
malware category 369 internal 139
policy category 377 managing aliases 147
potential exploit category 378 managing flow sources 139
recon category 357 virtual name 147
suspicious category 370 flowlog file 142
system category 373 forwarding normalized events and flows 104
Event Collector functions 161
about 98
configuring 130
Event Collector Connections 125 G
Event Processor global IPtables access 64
about 99
configuring 132
event rules
about 165
H
hashing
common property tests 274
event log 67
data/time tests 289
flow log 67
event property tests 271
hashing algorithm settings 68
function counter tests 285
high availability
function negative tests 290
about 37
function sequence tests 276
adding 42
function simple tests 289
editing 48
host profile tests 268
restoring a failed host 51
IP/port tests 270
setting HA host offline 51
log source tests 275
setting HA host online 51
network property tests 289
high-level categories 356
event view
host
about 94
adding 110
adding components 100
host context 94, 120
building 98
renaming components 107
exploit category 368
external flow sources 139 I
importing backup archives 82
initiating a backup 87
F interface roles 30

INDEX 413
internal flow sources 139

IP right click menu extension role 13 P
Packeteer 141
partition tester time-out 65
J passwords
J-Flow 141 changing 31
policy category 377
potential exploit category 378, 379
pre-7.0 off-site flow sources 405
L preferences 5
LDAP/Active directory 19
license key
exporting 25
managing 23 Q
log activity role 12 QFlow Collector
configuring 124
QFlow Collector ID 125
QRadar components 124
M
Magistrate
about 99
configuring 135 R
malware category 369 RADIUS authentication 19
managed host RDATE 32
adding 110 recon category 357
assigning components 119 remote networks groups 151
editing 112 remote networks object
removing 114 adding 152
setting-up 29 editing 153
managing backup archives 81 remote service groups 155
maximum real-time results 66 remote services object
MIB 201 adding 156
editing 157
reporting max matched results 66
reporting roles 13
N resetting SIM 5
NAT resolution interval length 63
editing 116 restarting system 26
enabling 114 restoring configuration information 88
removing 117 different IP address 90
using with QRadar 114 same IP address 88
NetFlow 124, 140 retention period
Net-SNMP 7 asset profile 66
network activity role 13 attacker history 65
Network Address Translation. See NAT flow data 66
network hierarchy log source data 66
creating 53 offense 65
network taps 124 roles
about 9
admin 12
O assets 13
offense rules creating 10
about 165 deleting 16
date/time tests 338 editing 15
function tests 338 IP right click menu extension 13
IP/port tests 338 log activity 12
log source tests 339 managing 9
offense property tests 339 network activity 13
offenses role 12 offenses 12
off-site source 105 reporting 13
off-site target 105 risks 13
rules
about 161

414 INDEX
copying 186 flow data retention period 66

creating anomaly detection rules 176 flow data storage location 66
creating custom rules 165 flow log hashing 67
deleting 187 global IPtables access 64
enabling/disabling 186 hashing algorithm 68
groups 187 hourly accumulator retention 65
assigning 192 log source data retention period 66
copying 190 log source storage location 66
creating 188 maximum real-time results 66
deleting 192 partition tester time-out 65
editing 189 reporting execution time limit 67
viewing 162 reporting max matched results 66
resolution interval length 63
retention period
S offense 65
scheduling your backup 84 search results retention period 66
search results retention period 66 store event payload 64
servers syslog event timeout 64
discovering 195 temporary files retention period 64
services TNC recommendation enable 64
authorized 77 user data files 65
sFlow 141 VIS passive host profile interval 64
shutting down system 26 web execution time limit 67
SIM web last minute execution time limit 67
resetting 5 system time 32
SNMP settings 69 system view
source about 94
off-site 105 adding a host 110
storage location assigning components 119
asset profile 66 Host Context 120
flow data 66 managed host 118
log source 66 managing 108
store event payload 64
suspicious category 370
syslog T
forwarding 197 TACACS authentication 19
adding 197 target
deleting 199 off-site 105
editing 198 templates
syslog event timeout 64 enterprise 213
system temporary files retention period 64
restarting 26 tests
shutting down 26 about 162
system authentication 19 thresholds 70
system category 373 time 32
system notifications 70 time limit
system settings command line execution 67
administrative e-mail address 63 reporting execution 67
alert e-mail from address 63 web execution 67
asset profile query period 64 web last minute execution 67
asset profile reporting interval 64 TNC recommendation enable 64
asset profile retention period 66 transaction sentry 68
asset profile storage location 66
attacker history retention period 65
coalescing events 64
command line execution time limit 67
U
updating user details 5
command line max matched results 66
user accounts
configuring 63
managing 16
daily accumulator retention 65
user data files 65
delete root mail 63
user roles 9
event log hashing 67
users

INDEX 415
authentication 19
creating account 16
disabling account 19
editing account 18
managing 9
V
viewing backup archives 81
VIS passive host profile interval 64

QRadar 70 AdminGuide

Uploaded by

Copyright:

Available Formats

QRadar 70 AdminGuide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

QRadar 70 AdminGuide

Uploaded by

Copyright:

Available Formats

QRadar Administration Guide

ABOUT THIS GUIDE

3 MANAGING THE SYSTEM

4 MANAGING HIGH AVAILABILITY

6 MANAGING AUTHORIZED SERVICES

7 MANAGING BACKUP AND RECOVERY

8 USING THE DEPLOYMENT EDITOR

9 MANAGING FLOW SOURCES

13 FORWARDING SYSLOG DATA

D VIEWING AUDIT LOGS

F CONFIGURING FLOW FORWARDING FROM PRE-7.0 OFF-SITE FLOW

Icon Type Description

Caution Information that alerts you to potential loss of

Include the following information with your comments:

QRadar Administration Guide

QRadar Administration Guide

This chapter provides an overview of QRadar administrative functionality including:

QRadar Administration Guide

• Managing vulnerability scanners. For more information, see the Managing

The Admin tab also includes several menu options including:

Menu Option Sub-Menu Description

QRadar Administration Guide

To reset the SIM module:

QRadar Administration Guide

Step 3 Read the information in the window.

QRadar Administration Guide

Note: HA is not supported in an IPv6 environment.

QRadar Administration Guide

This chapter provides information on managing QRadar users including:

Using the Admin tab, you can:

Viewing Roles To view roles:

QRadar Administration Guide

The Manage Roles window provides the following information:

Creating a Role To create a role:

QRadar Administration Guide

QRadar Administration Guide

Table 3-2 Create Roles Parameters (continued)

QRadar Administration Guide

Table 3-2 Create Roles Parameters (continued)

QRadar Administration Guide

Step 6 Click Next.

QRadar Administration Guide

Editing a Role To edit a role:

Step 8 Update log source permissions, as desired:

QRadar Administration Guide

Step 13 Close the Manage User Roles window.

Deleting a Role To delete a role:

Creating a User To create an account for a QRadar user:

QRadar Administration Guide

Step 5 Enter values for the following parameters:

Table 3-3 User Details Parameters

Step 6 Click Next.

QRadar Administration Guide

Editing a User To edit a user account:

QRadar Administration Guide

Disabling a User To disable a user account:

QRadar Administration Guide

If you want to configure RADIUS, TACACS, or LDAP/Active Directory as the

Once authentication is configured and a user enters an invalid username and