Hi,
I tried to leverage the historical search option as well but that doesn't seem to be working.
For example. the rule for "malware detected but not cleaned". The malware detection and malware cleaned events happen (98%) exactly at the same time with a diff of few milliseconds and QRadar can only track up to seconds.
So, when I run a historical search against my rule it generates offenses for all events despite malware cleaned or not because of the time when malware is detected and cleaned.
Currently, we are using a manual process where we run a saved search after the offense is triggered to look for all events for the device, and if malware cleaned event occurred or not.
Is there a workaround or a fix for such a scenario?
------------------------------
Hemant Kumar
------------------------------
Original Message:
Sent: Fri June 05, 2020 12:14 PM
From: COLIN HAY
Subject: Unable to create rules when events are fetch using API in batch
Hi KH,
If a real-time event stream is not an option, the solution to address use cases like this where you are using stateful tests (thing X happens after thing Y in Z amount of time) is to use our Historical Correlation feature. This is available in the Actions menu of Log Activity and Network Activity for use in Events or Flows. Essentially you define a saved search which targets the events of interest which you are receiving in batch (so your Sophos Central events in this case) and link it to a set of rules (or all rules if you wish, but in this case you probably want to pick just the relevant stateful ones that aren't functioning properly) and then using your historical correlation profile you can replay those events through the select rules as if they were received in realtime. If you select "Device Time" in the "Correlate Events By" dropdown, this means the historical correlation processor will examine the Log Source Time property of all events returned by the saved search and pass the events through the rules in the order they actually occurred, with appropriate delays to simulate the time at which they actually happened, relative to one another. Note that rules used in historical correlation will only generate offenses, they can't take other actions/responses.
You can choose to schedule your profile to run regularly so you don't have to kick it off manually periodically.
You may also want to create a Routing Rule with action "Bypass Correlation" that matches your Sophos Central events such that you don't get false positives rule hits on those events from the realtime correlation engine - this ensures that they only get processed by the historical correlation processor.
Hope this helps.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Thu June 04, 2020 12:11 PM
From: Hemant Kumar
Subject: Unable to create rules when events are fetch using API in batch
Hi,
We are getting logs from Sophos Central using API. QRadarfeteched logs every 15 min so the QRadar start time is always different than the actual event time.
There are few use cases which we are working on but due to all logs coming in 15 min fetch gives a problem.
For eg, The event "malware detected" actual time is 9:35:45 PM and the event "malware cleaned" actual time is 9:35:46 PM. So within a second malware was detected and cleaned for the same workstation. When I want to build a use case around this QRadar considers start time as the base.
logic is
and when the event(s) were detected by one or more of SophosCentral
and NOT when Malware Cleaned match at least 1 times with the same Threat_Name, Workstation and different Actual_Event_Date_Time in 11 minutes after Malware Detected match with the same Threat_Name ,Workstation
and when an event matches any of the following Malware Detected
this never fires a true offense.
I tried atleast 8 different logics around this but it doesn't seem to work.
Any guidence from the group is much appreciated.
------------------------------
KH
------------------------------