IBM QRadar

Hi,

I'm fairly new to QRadar and I'm having an issue with a new rule I'm trying to create. The rule simply monitors for a situation where no events are seen from a certain log source that's part of a log source group and creates a new offense when this occurs. Here's the rule:

'Apply ADCC: Logging Failure on events which are detected by the Local system

and when the event(s) have not been detected by one or more of ADCC for 1800 seconds'

where 'ADCC' is the log source group. For the response I have 'Ensure the detected event is part of an offense' checked, index based on 'Log Source', 'Annotate this offense with 'ADCC'' and 'Include detected events by Log Source from this point forward, in the offense, for 1800 second(s)' checked. I also have 'Email' checked in Rule Response with a valid email address. I have 'Response Limiter' configured with 'Respond no more than 1 time(s) per 4 hour(s) per Log Source'.

I know the rule is firing because I'm receiving an email with the details, but no offense is being created. Any suggestions?

Thanks

Dave

p.s. I also have 'Enable this rule if you want it to begin watching events right away' checked

Hi Dave,

that is a special rule because most of the rules have an event to add to an offense but that rule is the opposite, because there is a missing event that fires it. I created such a rule as well but i did a copy of the rule "Device Stopped Sending Events" that is part of every installation and adopted it. This rule creates an event (CRE Event) and in the installation id did it, everything was based on CRE Events. Therefore i can not tell for 100% that an offense was created but i know the CRE event worked. Maybe that helps you as well. How do you check that there is no offense?

Regards

Martin