IBM Security QRadar

 View Only
  • 1.  Correlate two events from two differents log sources with the same log Start Time

    Posted Mon December 20, 2021 06:44 AM
    Hi community,

    I have a problem making a offense and I would like to know if you can give me any advice. I try to correlate two events from two log sources, both events have the same start time, therefore the rule doesnt work because the second event would have to come after the first. any idea? Can a delay be added manually to a log source?

    Thanks!

    David

    ------------------------------
    DAVID SANZ POZAS
    ------------------------------


  • 2.  RE: Correlate two events from two differents log sources with the same log Start Time

    Posted Tue December 21, 2021 02:53 AM
    Hi David,
    we had a very similar problem. Our approach was to write two rules that each wrote something to a reference table when the event occurred. And then subsequently we alerted when both entries were present in the reference table.

    Reference tables are always a possibility if you want to "remember" something. Unfortunately, they do not react completely in real time.

    Perhaps this will help?

    Many greetings
    Oliver

    ------------------------------
    Kind regards
    Oliver
    ------------------------------



  • 3.  RE: Correlate two events from two differents log sources with the same log Start Time

    IBM Champion
    Posted Tue December 21, 2021 05:11 AM
    Hi David,

    there are more than 100 different ways to correlate events and offenses. Its always two step. You create your metavent first based on your event and then fire your offense rules. Its up to you! Pls have a look at this simple demo rules.
    https://community.ibm.com/community/user/security/viewdocument/fast-track-to-self-deoffense?CommunityKey=f9ea5420-0984-4345-ba7a-d93b4e2d4864&tab=librarydocuments
    you write "therefore the rule doesnt work because the second event would have to come after the first.". that is exactly what happens when you correlate different events from different sources.

    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 4.  RE: Correlate two events from two differents log sources with the same log Start Time

    Posted Wed December 22, 2021 05:20 AM
    Just a note/reminder (probably redundant :) ) on Start Time (begins after the EC-ECS Ingress) vs. Log source time (pulled from the event payload); as I recall, the former is used for real-time correlation and the latter can be used through historical correlation.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------