IBM Security QRadar

Hi,
We have a rule for L2L scanner detection, we are getting offense but only CRE events in the event page instead of actual logs (events).  As I checked in the rule wizard all the settings are fine.  
Please anyone help to resolve the issue.  Attached snapshots




Thanks in advance.

------------------------------
Arunkumar R
------------------------------

It looks like  the Offense was based on flow monitoring - then only CRE events could be expected.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Fri December 02, 2022 07:14 AM
From: Arunkumar R
Subject: Only Custom Rule Engine in an Offense

Hi,
We have a rule for L2L scanner detection, we are getting offense but only CRE events in the event page instead of actual logs (events).  As I checked in the rule wizard all the settings are fine.  
Please anyone help to resolve the issue.  Attached snapshots




Thanks in advance.

------------------------------
Arunkumar R
------------------------------

Hi Dusan,
Thank you for the response. 
How can we get the events in the offense?


Thanks

------------------------------
Arunkumar R
------------------------------

Original Message:
Sent: Mon December 05, 2022 03:50 AM
From: Dusan VIDOVIC
Subject: Only Custom Rule Engine in an Offense

It looks like  the Offense was based on flow monitoring - then only CRE events could be expected.

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Fri December 02, 2022 07:14 AM
From: Arunkumar R
Subject: Only Custom Rule Engine in an Offense

Hi,
We have a rule for L2L scanner detection, we are getting offense but only CRE events in the event page instead of actual logs (events).  As I checked in the rule wizard all the settings are fine.  
Please anyone help to resolve the issue.  Attached snapshots




Thanks in advance.

------------------------------
Arunkumar R
------------------------------

Your detection involved only flows matching the rule. If there were any events matching they would have been added. Review the rule and events surrounding the timeframe the offense covered to see if there may be something of interest or that you see you miss for better detection.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Mon December 05, 2022 04:09 AM
From: Arunkumar R
Subject: Only Custom Rule Engine in an Offense

Hi Dusan,
Thank you for the response. 
How can we get the events in the offense?


Thanks

------------------------------
Arunkumar R

Original Message:
Sent: Mon December 05, 2022 03:50 AM
From: Dusan VIDOVIC
Subject: Only Custom Rule Engine in an Offense

It looks like  the Offense was based on flow monitoring - then only CRE events could be expected.

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Fri December 02, 2022 07:14 AM
From: Arunkumar R
Subject: Only Custom Rule Engine in an Offense

Hi,
We have a rule for L2L scanner detection, we are getting offense but only CRE events in the event page instead of actual logs (events).  As I checked in the rule wizard all the settings are fine.  
Please anyone help to resolve the issue.  Attached snapshots




Thanks in advance.

------------------------------
Arunkumar R
------------------------------