IBM QRadar

Hi Community,

I configured a rule to monitor whether log sources stopped sending events.
As Rule Action, I created an Event that triggers an offense. As offense source, I chose "Source IP".

My expectation: For every Log Source which stopped sending events, there will be an offense.

Reality: For Log Sources whose Identifier is an IP, this will work fine. However, for log sources whose Identifier is something else such as Hostname an offense will be created with source ip 0.0.0.0. Everytime one of those log sources stops sending events, this offense indexed by 0.0.0.0 is updated.

I then noticed that the CRE event that I created contains the name of the Log Source. Something like "Log source ' WindowsAuthServer @ bruno.balacobaco ". I then extracted the property and set it to use it in rules. I then changed my rule as offense Source to use this new property. Whenever QRadar detects that some log source stopped sending events, this event will be generated by CRE and I can see my property there and also that this event matches my rule. However, no offense is created.


For ordinary Events I created some custom properties and configured those as "offense source" for my rules. It worked fine. ​
Is this an issue? It refers to custom properties within Events generated by the Custom Rule Engine.

Thank you

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------

You cannot use custom properties to index an offense that is created by a dispatched event.


https://www.ibm.com/docs/en/qradar-on-cloud?topic=indexing-offense-considerations

------------------------------
BrunoMarX
------------------------------

Original Message:
Sent: Fri June 25, 2021 04:03 AM
From: BrunoMarX
Subject: Offense Source -> Custom Property

Hi Community,

I configured a rule to monitor whether log sources stopped sending events.
As Rule Action, I created an Event that triggers an offense. As offense source, I chose "Source IP".

My expectation: For every Log Source which stopped sending events, there will be an offense.

Reality: For Log Sources whose Identifier is an IP, this will work fine. However, for log sources whose Identifier is something else such as Hostname an offense will be created with source ip 0.0.0.0. Everytime one of those log sources stops sending events, this offense indexed by 0.0.0.0 is updated.

I then noticed that the CRE event that I created contains the name of the Log Source. Something like "Log source ' WindowsAuthServer @ bruno.balacobaco ". I then extracted the property and set it to use it in rules. I then changed my rule as offense Source to use this new property. Whenever QRadar detects that some log source stopped sending events, this event will be generated by CRE and I can see my property there and also that this event matches my rule. However, no offense is created.


For ordinary Events I created some custom properties and configured those as "offense source" for my rules. It worked fine. ​
Is this an issue? It refers to custom properties within Events generated by the Custom Rule Engine.

Thank you

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------

Hello Bruno,

thanks for sharing your experience. I am working similar issues at the moment. I found a recommendation from IBM regarding it:
https://www.ibm.com/docs/en/qradar-common?topic=spot-device-stopped-sending-events

"Unlike the CRE, the DSSE runs on the absence of events, and this creates a conflict as many of the typical "CRE-isms" (read: actions, responses, other tests, and, filters in the same rule) become unavailable, and don't get called properly. Additionally, when any particular type of device in a device group or device list stops sending, the DSSE rule (shown in the following diagram), detects an issue."

The proposed solution in this document sounds good, but the described configuration is not sufficient to implement the solution as far as i experienced it. I tried to implement it but did not get it to work and switched back to the DSSE rule. I used the feedback button on the articel and got a response that my request was received but no additional information so far. 

It would be great if you share your solution in case you find a good one. I also found another request in an IBM forum from a user struggeling in the details creating that rule. 

Thank you,
Regards
Martin

------------------------------
Martin Schmitt
------------------------------

Original Message:
Sent: Tue June 29, 2021 07:55 AM
From: BrunoMarX
Subject: Offense Source -> Custom Property

You cannot use custom properties to index an offense that is created by a dispatched event.


https://www.ibm.com/docs/en/qradar-on-cloud?topic=indexing-offense-considerations

------------------------------
BrunoMarX

Original Message:
Sent: Fri June 25, 2021 04:03 AM
From: BrunoMarX
Subject: Offense Source -> Custom Property

Hi Community,

I configured a rule to monitor whether log sources stopped sending events.
As Rule Action, I created an Event that triggers an offense. As offense source, I chose "Source IP".

My expectation: For every Log Source which stopped sending events, there will be an offense.

Reality: For Log Sources whose Identifier is an IP, this will work fine. However, for log sources whose Identifier is something else such as Hostname an offense will be created with source ip 0.0.0.0. Everytime one of those log sources stops sending events, this offense indexed by 0.0.0.0 is updated.

I then noticed that the CRE event that I created contains the name of the Log Source. Something like "Log source ' WindowsAuthServer @ bruno.balacobaco ". I then extracted the property and set it to use it in rules. I then changed my rule as offense Source to use this new property. Whenever QRadar detects that some log source stopped sending events, this event will be generated by CRE and I can see my property there and also that this event matches my rule. However, no offense is created.


For ordinary Events I created some custom properties and configured those as "offense source" for my rules. It worked fine. ​
Is this an issue? It refers to custom properties within Events generated by the Custom Rule Engine.

Thank you

Regards,

Bruno

------------------------------
BrunoMarX
------------------------------