Ismael,
this is a very interesting question. We are using the meta event search you described regularily in SOC and in most cases a meta event is correlated to an offense. However events, metaevents and offenses are not directly related because of the way CRE works. There is rule correlation, escpecially for all offenses not yet closed as you remarked correctly. Once closed a new offense id will be created as soon as rule tests match fully.
In the case offense is still open an all other event attributes match the meta event and the corresponding events will be linked to the existing offense you find when clicking on the event offense attribute. May a bit confusing for someone not being familiar with QRadar. Of course you are!
At least it gives me an idea for my next blog entry called - why you cant search in CRE for offense is not NA when associated with offense is true!
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Thu April 13, 2023 08:37 AM
From: İsmail Kaya
Subject: Created offenses count by event name
Hi,
I want to see how many rule created in a mount. I filtered logs as "log source is CRE, Associated with offense true and group by event name(rule name for offenses as you know)".
However as you know all events although they don't create a new offense before close it are seen at this search result. CRE logs doesn't include offense ID and SIM Audit logs show offense id for created Offense but they don't include Event Name(rule name). How can I find the desired search result? Is there any Aql filter or different way to join these fields in one search?
Thank you,
İsmail K.
------------------------------
İsmail Kaya
------------------------------