IBM Security QRadar

 View Only
  • 1.  Only Custom Rule Engine in an Offense

    Posted Fri December 02, 2022 07:15 AM
    Hi,
    We have a rule for L2L scanner detection, we are getting offense but only CRE events in the event page instead of actual logs (events).  As I checked in the rule wizard all the settings are fine.  
    Please anyone help to resolve the issue.  Attached snapshots




    Thanks in advance.

    ------------------------------
    Arunkumar R
    ------------------------------


  • 2.  RE: Only Custom Rule Engine in an Offense

    Posted Mon December 05, 2022 03:51 AM
    It looks like  the Offense was based on flow monitoring - then only CRE events could be expected.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: Only Custom Rule Engine in an Offense

    Posted Mon December 05, 2022 04:10 AM
    Hi Dusan,
    Thank you for the response. 
    How can we get the events in the offense?


    Thanks

    ------------------------------
    Arunkumar R
    ------------------------------



  • 4.  RE: Only Custom Rule Engine in an Offense

    Posted Mon December 05, 2022 07:00 AM
    Your detection involved only flows matching the rule. If there were any events matching they would have been added. Review the rule and events surrounding the timeframe the offense covered to see if there may be something of interest or that you see you miss for better detection.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------