IBM Security QRadar

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil

Hi, 
I am also facing a similar problem, the rule is to run alerts for a few events but not for another similar event.
I have tried to disable and enable, restarted the ecs-ep, and duplicated the rule.

Any solution found to resolve this issue?


Thanks

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil

Hi, 
I am also facing a similar problem, the rule is to run alerts for a few events but not for another similar event.
I have tried to disable and enable, restarted the ecs-ep, and duplicated the rule.

Any solution found to resolve this issue?


Thanks

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil

Which property are you using for indexing the offense in Rule Action and Rule Response? If the property doesn't have a value, the rule will fail to create an offense when it triggers.

Hi, 
I am also facing a similar problem, the rule is to run alerts for a few events but not for another similar event.
I have tried to disable and enable, restarted the ecs-ep, and duplicated the rule.

Any solution found to resolve this issue?


Thanks

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil

Hi Community,

We have a basic rule that would trigger an offense and send an email notification whenever a Severity 7 or higher events are triggered from Carbon Black.

Below is the rule logic:

and when the event(s) were detected by one or more of CarbonBlackCloudCustom @ localhost
and when the event matches Alert Category (custom) is any of THREAT
and when the event matches CB Severity (custom) is any of [7 or 8 or 9]

Very basic rule, has been working as expected since forever. I ran a search in Log Activity using the same logic and did find a Sev8 event from this morning for which it should have triggered an Offense.

I did ran a sample test rule and it fired an Offense right away, as expected. What could be wrong with this particular rule for it to not trigger an Offense?

Thanks in Advance.

Sahil