IBM Security QRadar

Expand all | Collapse all

Rule Response - Dispatch New Event - Event Name

  • 1.  Rule Response - Dispatch New Event - Event Name

    Posted Mon September 21, 2020 06:13 AM
    Good morning, I would like to know how to correctly set up an offense because when an offense is thrown at me it doesn't come out with the right name.

    I have changed the Rule Response/Dispatch New Event inside so that it jumps with the name but it appears with event names

    thanks

    note: see img

    Error name offense


    ------------------------------
    Marcos _
    ------------------------------


  • 2.  RE: Rule Response - Dispatch New Event - Event Name

    Posted Mon September 21, 2020 07:32 AM
    Hi Marcus
    Offense name is not "ejemplo"?

    ------------------------------
    Adi A
    ------------------------------



  • 3.  RE: Rule Response - Dispatch New Event - Event Name

    Posted Mon September 21, 2020 09:50 AM
    Hi Adi, 

    Hi, if this is just an example, all I want to know is the kind of configuration I have to put when creating a rule so that the name of the event is always what I put in the name of the description, because I have some that do jump and others, no, I have all the same configured

    thank you

    ------------------------------
    Marcos _
    ------------------------------



  • 4.  RE: Rule Response - Dispatch New Event - Event Name

    Posted Tue September 22, 2020 08:25 AM
    Hi Marcos,

    Yes the configuration in your screenshot is correct if you want the name of the dispatched event to be used for the Offense name/description. The key aspects are ensuring that both the original event and the new dispatched event are set to contribute to offenses with the same index property (Source IP in your example) and that in the dispatch options, you select the option to "set or replace" the offense name. If both of these cases is true for all your rules and you're still seeing an issue where offenses are not renamed properly, you may want to raise a support case.

    Cheers
    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 5.  RE: Rule Response - Dispatch New Event - Event Name

    Posted Tue September 22, 2020 10:08 AM
    Checkout the offence naming definitions on the rule responses which do not work as expected. 
    Perhaps those events event dispatch responses
    are defined as "This information should contribute to... (or should not contribute)..." 
    and not as the screenshot above (This information should set or replace...") ?

    Chanan

    ------------------------------
    Chanan Welt
    ------------------------------