policies , sample-it-spreadsheets , security , visio-stencils

QRadar SIEM Sample use case monitoring / response rule sets

April 1, 2021

Botnet: Local host on Botnet CandC List (DST)
Botnet: Local Host on Botnet CandC List (SRC)
Botnet: Potential Botnet Events Become Offenses
Botnet: Potential Connection to a Known Botnet CandC
Botnet: Successful Inbound Connection from a Known Botnet CandC
DDoS: DDoS Attack Detected
DDoS: Potential DDoS Against Single Host (TCP)
DoS: Local Flood (TCP)
DoS: Network DoS Attack Detected
DoS: Service DoS Attack Detected
Exploit: Chained Exploit Followed by Suspicious Events
Exploit: Destination Vulnerable to Detected Exploit
Exploit: Destination Vulnerable to Detected Exploit on a Different Port
Exploit: Exploit / Malware Events Across Multiple Destinations
Exploit: Multiple Exploit Types Against Single Destination
Exploit: Recon followed by Exploit
Malware: Communication with a site that is listed on a known blacklist or uses fast flux
Malware: Communication with a web site known to be associated with the Russian business network
Malware: Remote: Client Based DNS Activity to the Internet
Policy: Local: Hidden FTP Server
Policy: Local: SSH or Telnet Detected on Non-Standard Port
Policy: Remote: Hidden FTP Server
Policy: Remote: SMTP Mail Sender
Policy: Remote: SSH or Telnet Detected on Non-Standard Port
Repeat Attack IDS Event
DoS Offense
Repeat Attack – Firewall denies – Outbound
Repeat Attack – Firewall denies –Inbound
Repeat Attack – Firewall accepts following repeated Firewall denies.
Watch List Alert – Outbound
Login failure to a disabled account.
Malware Offense
Repeat Attack – Suspicious Events following a Watchlist alert
Repeat Attack – NIPS
Repeat Attack – Foreign
Virus / Malware / Spyware detected but failed to clean
Malware Offense Failed to Remove
gTIC URL Shun List – Outbound
EPS License Violation
Possible Outbreak_Excessive
Possible Outbreak – Multiple Infected Hosts Detected on the Same Subnet on
Known Attacker Allowed in Network
Attack-Login Target
Suspicious Post from Untrusted Source
Traffic Allowed to Known Attacker
CRE alert
FireEye Alert
High Offense Alert
WormDetection: Local Mass Mailing Host Detected
WormDetection: Possible Local Worm Detected
WormDetection: Successful Connections to the Internet on Common Worm Ports
WormDetection: Worm Detected (Events)
Device Stopped Sending Events (Firewall, IPS, VPN or Switch)

Health
System Notification Alert: License Errors
System Notification Alert: Disk Usage Exceeded Warn Threshold
System Notification: HA Error
System Notification: Out of Memory
QRadar System Alerts

Recon: Aggressive Local L2L Scanner Detected
Recon: Aggressive Local L2R Scanner Detected
Recon: Aggressive Remote Scanner Detected
Recon: Excessive Firewall Denies from Local Host
Recon: Excessive Firewall Denies from Remote Host
Recon: Host Port Scan Detected by Remote Host
Recon: Local L2L Database Scanner
Recon: Local L2L DHCP Scanner
Recon: Local L2L DNS Scanner
Recon: Local L2L FTP Scanner
Recon: Local L2L Game Server Scanner
Recon: Local L2L ICMP Scanner
Recon: Local L2L IM Server Scanner
Recon: Local L2L IRC Server Scanner
Recon: Local L2L LDAP Server Scanner
Recon: Local L2L Mail Server Scanner
Recon: Local L2L P2P Server Scanner
Recon: Local L2L Proxy Server Scanner
Recon: Local L2L RPC Server Scanner
Recon: Local L2L Scanner Detected
Recon: Local L2L SNMP Scanner
Recon: Local L2L SSH Server Scanner
Recon: Local L2L Suspicious Probe Events Detected
Recon: Local L2L TCP Scanner
Recon: Local L2L UDP Scanner
Recon: Local L2L Web Server Scanner
Recon: Local L2L Windows Server Scanner
Recon: Local L2R Database Scanner
Recon: Local L2R DHCP Scanner
Recon: Local L2R DNS Scanner
Recon: Local L2R FTP Scanner
Recon: Local L2R Game Server Scanner
Recon: Local L2R ICMP Scanner
Recon: Local L2R IM Server Scanner
Recon: Local L2R IRC Server Scanner
Recon: Local L2R LDAP Server Scanner
Recon: Local L2R Mail Server Scanner
Recon: Local L2R P2P Server Scanner
Recon: Local L2R Proxy Server Scanner
Recon: Local L2R RPC Server Scanner
Recon: Local L2R Scanner Detected
Recon: Local L2R SNMP Scanner
Recon: Local L2R SSH Server Scanner
Recon: Local L2R TCP Scanner
Recon: Local L2R UDP Scanner
Recon: Local L2R Web Server Scanner
Recon: Local L2R Windows Server Scanner
Recon: Local L2L Scanner Detected
Recon: Local L2R Scanner Detected
Recon: Local Windows Scanner to Internet
Recon: Potential Local Port Scan Detected
Recon: Potential P2P or VoIP Traffic Detected
Recon: Remote Database Scanner
Recon: Remote DHCP Scanner
Recon: Remote DNS Scanner
Recon: Remote FTP Scanner
Recon: Remote Game Server Scanner
Recon: Remote ICMP Scanner
Recon: Remote IM Server Scanner
Recon: Remote IRC Server Scanner
Recon: Remote LDAP Server Scanner
Recon: Remote Mail Server Scanner
Recon: Remote P2P Scanner
Recon: Remote Proxy Server Scanner
Recon: Remote RPC Server Scanner
Recon: Remote Scanner Detected
Recon: Remote SNMP Scanner
Recon: Remote SSH Server Scanner
Recon: Remote UDP Scanner
Recon: Remote Web Server Scanner
Recon: Remote Windows Server Scanner

Threat Intelligence (M S Pe gTIC)
Threat Feed Botnet (R2L)
Threat Feed Malware (R2L)
Threat Feed Malware (R2L)
Threat Feed BotNet (L2R)
Threat Feed for URL Malware (L2R)
Threat Feed for URL Malware (R2L)
Password spray

UBA TBD
Hard Blocked Nations
Top 20 Watchlists
MFA registrations
MFA failures
MFA lockouts,
MFA Suspicious successful changes

Top 100 Watchlists

SIEM reports:
Geo Location report (Weekly
Network Traffic (Daily / Weekly)
Error and Failure report (Daily)
Top Log Source by Volume
EPS Report
Authentication: Login Failures Followed By Success from the same Source IP
Authentication: Login Failures Followed By Success to the same Destination IP
Authentication: Login Failures Followed By Success to the same Username
Authentication: Login Successful After Scan Attempt
Authentication: Multiple Login Failures for Single Username
Authentication: Multiple Login Failures from the Same Source
Authentication: Multiple Login Failures to the Same Destination
Authentication: Login Failures Followed By Success from the same Source IP
Authentication: Login Failures Followed By Success to the same Destination IP
Authentication: Login Failures Followed By Success to the same Username
Authentication: Login Successful After Scan Attempt
Authentication: Multiple Login Failures for Single Username
Authentication: Multiple Login Failures from the Same Source
Authentication: Multiple Login Failures to the Same Destination