In QRadar, I'm facing an issue where a rule generates offenses whenever a device attempts to access a port in a reference set. Each new attempt by a different device adds to an existing offense instead of creating a new one. How can I adjust the rule to ensure a new offense is created for each new attempt by a different device?
Selecting 'index offense based on source IP' generates new offenses, but the 'destination port' is not included in the offense summary. This is essential for our SOAR playbooks that rely on Source IP, Destination IP, and Destination Port information. The missing destination port value is disrupting our workflows.
My end goal is to forward offenses that include the destination port, source IP, and destination IP to SOAR. I have a template created for this information, but as mentioned, the rule should be configured correctly before escalation. Any advice would be greatly appreciated.