I am using Qradar CE 7.3 and Qradar 7.4.0
I config rule for logs of McAfee Endpoint Security Products in Qradar, following by:
Rule Action:
- Choose: Ensure the detected event is part of an offense and Index offense based on Username.
Rule Response:
- Choose: Dispatch New Event
- Event Name and Event Description is "Detect McAfee Endpoint Security high/critical severity"
- Event Details:
- Severity: 3, Credibility: 5, Relevance: 5
- High-Level Category: Malware, Low-Level Category: Unknown Malware.
- Choose: Ensure the dispatched event is part of an offense and Index offense based on Username.
- Choose Offense Naming: This information should contribute to the name of the associated offense(s)
Response Limiter
- Respond no more than 1 time(s) per 30 minutes per rule
Enable Rule
----------------------------------
Expected results: Offense name is "Detect McAfee Endpoint Security high/critical severity containing Exploit Prevention Files/Process/Registry violation detected".
Inside:
- "Detect McAfee Endpoint Security high/critical severity" is rule name
- "Exploit Prevention Files/Process/Registry violation detected" is event name
But in the system appeared many Offense names with names "xploit Prevention Files/Process/Registry violation detected". I see in that offense, the Event / Flow count section will not have the event name Detect McAfee Endpoint Security high / critical severity with log source is "Custom Rule Engine-8 :: NVLDC-SIEM01"
I don't know if it's the fault, please guide me. Thanks
#QRadar#Support#SupportMigration