Topic
  • 3 replies
  • Latest Post - ‏2016-03-24T11:53:43Z by paulfh
SystemAdmin
SystemAdmin
276 Posts

Pinned topic Tuning Magnatude via Credibility

‏2012-10-26T19:59:46Z |
I've got a number of offenses being generated by individuals going clicky-clicky to resources they don't have access to; usually inadvertantly as far as we can tell. I don't want to completely ignore this class of alert because enough of these alerts could indicate something interesting. I was thinking the most elegant way to handle this is build a BB for the resource hosts and then create a rule that decreases the magnatude of the event if it involves that BB. But that should be overcome by an increased number of these alerts. With that in mind, it seems like Credibility might be a good metric to decrement as I've seen a reference that Credibility will automatically increase with an increase in alerts.

I haven't found good documentation that talks about how this works. Or anything that talks about when I should consider altering these metrics (or even IF I should be doing that). Out-of-the-box Magnatude Adjustments seem focused entirely on Relevance. Is there a good reference that I'm overlooking? Am I looking at doing this the wrong way (I thought that thresholds might be less elegant)?-------Posted BY Paul Hosking
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: A guide to the rules would help

    ‏2012-11-20T21:24:55Z  
    You've probably already worked this out for yourself, but just to be clear, "Magnitude" is calculated simply as Relevance + Severity + Credibility / 3.

    I know of three "... with High Magnitude Become Offenses" rules:
    • DoS: DoS Events with High Magnitude Become Offenses
    • DDoS: DDoS Events with High Magnitude Become Offenses
    • Exploit: Exploits Events with High Magnitude Become Offenses
    These all rely on BB:CategoryDefinition: High Magnitude Events which looks like this:
     Apply BB:CategoryDefinition: High Magnitude Events on events which are detected by the Local system
    and when the event severity is greater than 8
    and when the event credibility is greater than 8
    and when the event relevance is greater than 8
    Note that those AND-ed together (not OR).

    Then there is a whole group of "Magnitude Adjustment" rules for context, source, and destination.

    I can't say I've gotten a lot of use of of any of this, but I want to.
    I want to have my system tuned up such that magnitude is a useful guide for "which offense is most important".
    But I don't feel like I'm there yet.
    Having some documentation from Q1 on the intent behind the rules would really help.
    For example, apart from "relevance > 7" means offense, I have no idea how to gauge relevance.
    I don't know how, in an objective and measurable way, to choose between a relevance of, say, 5 and 6.

    Posted By travis.mcwaters
  • Jayakumar66
    Jayakumar66
    3 Posts

    Re: A guide to the rules would help

    ‏2014-11-19T08:45:50Z  
    You've probably already worked this out for yourself, but just to be clear, "Magnitude" is calculated simply as Relevance + Severity + Credibility / 3.

    I know of three "... with High Magnitude Become Offenses" rules:
    • DoS: DoS Events with High Magnitude Become Offenses
    • DDoS: DDoS Events with High Magnitude Become Offenses
    • Exploit: Exploits Events with High Magnitude Become Offenses
    These all rely on BB:CategoryDefinition: High Magnitude Events which looks like this:
     Apply BB:CategoryDefinition: High Magnitude Events on events which are detected by the Local system
    and when the event severity is greater than 8
    and when the event credibility is greater than 8
    and when the event relevance is greater than 8
    Note that those AND-ed together (not OR).

    Then there is a whole group of "Magnitude Adjustment" rules for context, source, and destination.

    I can't say I've gotten a lot of use of of any of this, but I want to.
    I want to have my system tuned up such that magnitude is a useful guide for "which offense is most important".
    But I don't feel like I'm there yet.
    Having some documentation from Q1 on the intent behind the rules would really help.
    For example, apart from "relevance > 7" means offense, I have no idea how to gauge relevance.
    I don't know how, in an objective and measurable way, to choose between a relevance of, say, 5 and 6.

    Posted By travis.mcwaters

    Could you please explain in detail how the magnitude is calculated in Qradar?

  • paulfh
    paulfh
    1 Post

    Clarification on Event and Offense Magnitudes

    ‏2016-03-24T11:53:43Z  

    Just for clarification, there are Event Magnitudes and Offense Magnitudes.

     

    For a discussion about Offense Magnitudes, please see this thread: https://www.ibm.com/developerworks/community/forums/html/topic?id=a2460ae5-d3ad-455e-9d4d-125421bfde39

     

    Event Magnitudes are calculated as a weighted mean (https://en.wikipedia.org/wiki/Weighted_arithmetic_mean) of the three properties Severity, Credibility and Relevance of the Event.

     

    Paul