IBM QRadar

 View Only

 Unexpected "User Login Failure" offenses not matching defined use case rules

Carlos Marti's profile image
Carlos Marti posted Wed May 21, 2025 06:17 AM

Hi everyone,

I'm experiencing a situation in QRadar where offenses with the description "User Login Failure" are being generated recently, sometimes with as few as 2 login failures. However, when reviewing the offenses under Display → Rules → List of Rules Contributing to Offense, I see a specific use case triggered:
"Multiple Login Failures from same source (Windows)", which is configured to trigger after 100 login failures in 5 minutes. This rule is also configured with "This information should set or replace the name of the associated offense(s)" under Offense Naming.

This doesn’t align with the offenses labeled "User Login Failure", which are triggered under different (and seemingly less strict) conditions.

Additionally, I've checked the Use Case Manager, and there's no rule with the title "User Login Failure" present.

My questions are:

  • Where is this "User Login Failure" offense coming from if it's not listed as a rule in Use Case Manager?

  • How can I identify the exact rule or logic that is generating these offenses?

  • And ultimately, how can I disable or adjust this behavior if needed?

Thanks a lot in advance for your help!

Tamás Simon's profile image
Tamás Simon posted Thu May 22, 2025 03:31 AM

Try to check those events details which are in the offense, and see Custom Rules  or Custom Rules Partially Matched part in Additional Information part. Rule name User Login Failure must be there.

Carlos Marti's profile image
Carlos Marti posted Mon May 26, 2025 02:45 AM

Thank you for the response, I have reviewed it and I'm afraid that 'User Login Failure' does not appear.

Comparation between Name Offense and Additional information
Rory Bray's profile image
Rory Bray posted Mon May 26, 2025 08:27 AM

Also check for rules with "Dispatch New Event" response actions. These can have any name.

Carlos Marti's profile image
Carlos Marti posted Tue May 27, 2025 06:37 AM

Thanks for your response! You're right, I have the "Dispatch New Event" action enabled. However, in the Offense Naming section, I’ve selected "This information should set or replace the name of the associated offense." Wouldn't this force all offenses created by this type of event to have exactly the same name? How can I prevent new offenses from being created instead of grouping them into one? Thanks again!

Tamás Simon's profile image
Tamás Simon posted Tue May 27, 2025 07:46 AM

Carlos, Could you show the Rule Action (upper) part also in screen not only Rule Response part?

Frank Eargle's profile image
Frank Eargle IBM Champion posted Tue May 27, 2025 09:31 AM

This is frustrating and comes from the overall login failure rule logic.  If you open a specific offense, then on top menu choose Display, then Rules it will show what rules were part of the office.  You may find other events from other rules, but these are the prime ones.  Even for Chained offenses, it is best to start with the original offense.  You are being distracted by the event that is generated when the rule fires.  Those are often needed, for additional logic, reports, etc.  But they have little bearing on the offense itself (unless added to the logic). 

Use Case Manager great, but the old fashioned interface to the offense works better for this.  

Carlos Marti's profile image
Carlos Marti posted Wed May 28, 2025 08:01 AM

Sure, in the following image you can see the Rule Action. I recently enabled the option "Include detected events by Username from this point forward, in the offenses, for 14400 second(s)". It's true that since I activated it, I haven't had any new events triggered by non-existent rules, but I'm afraid that with this rule enabled, actions from other rules might be masked if they are performed by the same user — I'm not sure if that would be the case.

Frank Eargle's profile image
Frank Eargle IBM Champion posted Wed May 28, 2025 12:37 PM

This link may help: https://community.ibm.com/community/user/blogs/ashish-kothekar/2021/07/07/how-qradar-offense-renaming-works?hlmlt=QT

Related Content