How QRadar Offense Renaming works ?
QRadar generates Offense as a result of a correlation rule match. Such Offenses can also be renamed to better suit your requirement. This feature of renaming the Offenses can be tricky to setup if you are not aware of the concepts around this. In this post we will explain how the renaming of the Offenses work.
Before going into the details of Offense renaming, let us first understand the two different types of conditions that can be used in Rules:
A. Direct Conditions - These conditions match events as it is to the logic of the condition. In the screenshot below, we see there are two Direct conditions. First one is for matching the Destination IP address and the second one is for matching the Log Sources Types. Such direct conditions do NOT have any “time” factor associated with them.
B. Timing Conditions - These conditions keep a tab on the number of events triggered in an allocated amount of time for the condition to be met. In this screenshot below, the condition will be true only when there are twenty or more events triggered with the same ‘Source IP’ (event property) in 5 minutes.
Pro tip 1: The time mentioned in the timing condition decides whether such a rule after firing an Offense remains hot or not.
Pro tip 2: If you want the new Offense that will be generated after you close the previous Offense to be renamed, then you should close the previous Offense after the Time mentioned in the Timing condition has expired. For example, in the above condition, the Offense should be closed after 5 mins of receiving the last event matching the Rule Condition.
The above two different types of conditions and their usage in rules determine whether the generated Offense will be renamed or not.
The conditions which determine whether an Offense will be renamed or not can be understood using the flow chart explained below:
Below we discuss about the important factors mentioned in the above flow chart:
Decision Box 1: In this Decision Box 1, we match the Timing Condition of the rule (If x events are seen in y minutes). We have assumed that prior to this decision box, the Direct Condition (explained previously) have already matched. Here is an example to better understand this. Lets say the Timing Condition in this rule says “If 20 or more events are received in 5 minutes.” Once this condition matches, then the action(s) defined under the Rule Action part of the Rule will be executed.
Decision Box 2: This Decision box decides whether an Offense is generated as part of the Rule action. If yes (as shown in the screenshot below) then an Offense is generated. If no, then an Offense is not generated. If the Offense is generated, then it will be generated with the name of the Event which matched the condition the last.
Decision Box 3: In this Decision box, we decide whether the “Dispatch a New Event” box is checked or not. Also, we decide whether the “Ensure Dispatched Event is part of offense” is checked as well as if either of the “The information should contribute to Name of associated Offense” or “The information should set or replace the name of associated Offense” is selected.
If they are, then a new CRE event is dispatched. This newly dispatched event is attached to the Offense that was fired previously and based on the selection under the Offense Naming, will rename the Offense.
Decision Box 4: In this Decision box, we decided whether there are further events that match this rule and if they need to be attached to the generated Offense.
Decision Box 5: In this Decision box, we determine, whether the Offense is being Closed before or after the Timing condition of the rule has expired.
Decision Box 6: In this Decision box, we decide if there are further events which match the Rule (including the Direct and the Timing conditions of the Rule) which results in new Offense being generated. Of course, this new Offense is not renamed since the previous Offense was Closed before the time mentioned in the Timing condition had expired.
Decision Box 7: Similar to Decision Box 6, in this Decision box, we determine whether there are new events that match the complete rule (including the Direct and the Timing conditions of the Rule) which results in new Offense being generated. However, in this case, the new Offense that got generated will be renamed as well.
There are other scenarios as well which determine the renaming of an Offense. However, the above explanation and flow chart should give you an idea of how this works across different types of rule conditions and help you better in creating Rules based on your needs.
For any questions or comments regarding any of the points mentioned above or if you want to discuss this further, feel free to get in touch with us and we would be more than happy to answer any of your queries:
Ashish Kothekar (Ashish) – ashish.kothekar@in.ibm.com
Boudhayan Chakrabarty (Bob) – bochakra@in.ibm.com