This topic has been locked.
Pinned topic Report on Open vs. Closed Offenses?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Looking for some sort of report showing number of new offenses, number of current offenses, and number of closed offenses per day/week/month. This is meant to be a productivity measure for our incident response folks. Obviously you can report on new offenses, but I can't figure out how to graph "open offenses" vs. "closed offenses". Any thoughts, or am I missing something obvious?-------Posted BY PaulD
Re: report for an offense2010-02-25T13:30:52ZThis is the accepted answer. This is the accepted answer.I have a same type of query. How can I generate a report for an Offense say offense 1238?
Posted By Guest
Re: Wow.. this is very old and no2010-03-11T13:48:09ZThis is the accepted answer. This is the accepted answer.Wow.. this is very old and no one answered it...
This is something that can be done with the audit events.
You would first need to go to the event viewer, filter for the System-Audit device, and filter the events you want, in this case "Offense Close". The choose "display" by "Event Name" at the top of the screen. That should give you little search that shows the number of offenses closed during your search time.
Save that search criteria with a name you will remember in the next step.
Go to reports and setup a new daily, weekly, monthly report, choose 'events' as the chart type. Then pull up your saved search and switch the X axis to time.
Posted By sandy.bird
Re: Thanks for the update...2010-10-13T18:09:12ZThis is the accepted answer. This is the accepted answer.Well I just needed this too... I'm going out on a limb here.... Was this requested as an enhancement? As most will attest to, being able to report on the kinds of offenses (trending) is going to have more importance than the sheer number of offenses closed.
Posted By Guest
Re: you may be able to use the2010-10-23T16:52:35ZThis is the accepted answer. This is the accepted answer.you may be able to use the system notification records to see how many offenses have been scheduled (it will say scheduling X of X offenses). I am not aware of a method to specific display which offense IDs have been created.
Posted By Aaron.Breen
Re: I think there may be a way to2010-11-05T12:28:00ZThis is the accepted answer. This is the accepted answer.I think there may be a way to do this. Look at the qradar.log for init-sched for new offenses created
cat /var/log/qradar.log | grep -i 'init-sched'
This should show the new number of offenses. You can put this in a custom property, save the search then base a report off it.
Posted By Aaron.Breen
Re: Possible in v7.0?2011-03-15T15:22:21ZThis is the accepted answer. This is the accepted answer.I had a simple report that showed the number of offenses that have been created and closed per week in version 6.3.1.
However, I've recently upgraded to version 7.0 and can't work out how to get this same report.
Posted By dingall
Re: offense-report in V7.02011-04-11T12:41:55ZThis is the accepted answer. This is the accepted answer.I have the same request and issue - reporting worked in 6.3 and no more in 7.0 ( and hoped it was improved but now its gone ... )
Tried to substitute with the suggested queries on qradar.log, but to me it's not clear how to analyse the grep-ed results. Why isn't there a simple built in query on new, open and closed offenses per day / week / month.
Managers and controllers want to have reports about
Posted By franz.leippert
Re: add me in2011-04-11T15:38:43ZThis is the accepted answer. This is the accepted answer.just wanted to say that I would be interested as well.
Posted By pat
Re: Has anyone managed to work2011-07-06T14:48:26ZThis is the accepted answer. This is the accepted answer.Has anyone managed to work out a solution to this yet?
It's seems to be easy enough to create a search for "Offense Closed" events, which can then be used in a report, but I haven't yet been able to create an "Offense Opened/Created" search. There are some QID's that look like they should return the right results, but it looks to me like there is no event recorded in the SIM logs in QRadar that indicates a new offense has been created.
This seems like a fairly basic requirement, so I'm surprised it's so hard to find!
Posted By dingall
Re: Offense from CSV2011-07-20T20:39:40ZThis is the accepted answer. This is the accepted answer.OK, I'm approaching this from a different direction.. I've exported the offenses in a CSV format and I'm able to pull some of this information... I can see when the offense was generated in the "formattedstarttime" column, and assigned time "formattedendtime". The time to assign is shown in "formattedDuration". The "dismissedCode" is where you can see the change from open (0) to closed (2). This may not be anything new to anyone at this point... but I thought I'd offer this up.
If anyone has happened to find a code to show the timestamp when the offense is actually closed please let me know.
Thanks and good luck.
Posted By Guest
Re: Looks like a lot of us need this for mgmt2011-07-22T16:27:08ZThis is the accepted answer. This is the accepted answer.Good thoughts here but it would be nice to have pre-built reports. Management loves graphs and reports.
Posted By searlss2
Re: Offense reports2011-08-30T15:17:18ZThis is the accepted answer. This is the accepted answer.Interest here too in being able to generate reports based on Offense data.
Posted By Guest
Re: Clarify the CSV headings2011-10-04T17:54:29ZThis is the accepted answer. This is the accepted answer.I too am looking for open/closed metrics but I wanted to clarify the headings in the exported CSV file mentioned above. The "FormattedEndTime" mentioned above is not the time the offense was assigned but the time the last item (Either an event or flow) associated with the offense was added to the offense. The "FormattedDuration" is the length of time the offense took place (FormattedStartTime subtracted from the FormattedEndTime) and unfortunately the CSV export does not include a time the offenses were closed (at least not that I could find).
I still have not found a consistent method to pull the time an offense was actually closed. We can hope this makes it into a feature request soon. :)
Posted By Smack
Re: Offense Reports2012-02-13T20:37:09ZThis is the accepted answer. This is the accepted answer.I am also looking for a Offenses report that would show date and time created and date and time closed.
Posted By tod.chapman
Re: Offense Reports for SOC.2012-03-05T20:51:53ZThis is the accepted answer. This is the accepted answer.I am also looking for a Offenses report that would show date and time created and date and time closed.
Posted By snagarajan
Re: Offense report2012-05-03T13:56:57ZThis is the accepted answer. This is the accepted answer.Did anyone get a answer to this questions ' a report for a offenses report that would show date and time creatd and data and time closed.'
I really need this type of information since more that one person is working these offenses.
Posted By Loretta Sanford
Re: Need trending report for offenses2012-05-08T20:45:34ZThis is the accepted answer. This is the accepted answer.This thread is over 2 years old, but I don't see any real answers to Paul's original question (which is exactly what I need as well):
"Looking for some sort of report showing number of new offenses, number of current offenses, and number of closed
offenses per day/week/month. This is meant to be a productivity measure for our incident response folks. Obviously
you can report on new offenses, but I can't figure out how to graph "open offenses" vs. "closed offenses". Any
thoughts, or am I missing something obvious?"
I can of course run manual queries on offenses but don't see any way to run a report with historical information on offenses (or even how to use a saved offense query!) We also need to see the date/time offense was created, the assignee and when the offense was closed.
I seriously can't believe there's not a stock report for something like that. Hopefully I'm missing something and someone can point me in the right direction.
Posted By Moonbeam
Re: No Report2012-05-09T14:40:04ZThis is the accepted answer. This is the accepted answer.I opened a support ticket to see if a report was in the works or if they had a query to provide and basically got that we can run a query based on the 30 days retention but that is it.
Posted By Loretta Sanford
Re: Hi Guys, To get a report of2012-06-18T15:40:24ZThis is the accepted answer. This is the accepted answer.Hi Guys,
To get a report of this data in the current product it would require two components, the first was descibed by Sandy in post #2, you can search against the audit trail in event viewer for "OffenseClosed" this will bring back the records of the offenses with their close time. Create any extracted properties you want and adjust your columns to produce a saved search appropriate to your report.
To get the offense Created is a bit harder, you would need to turn on the syslog notifications for your custom event rules or enable the default rule: "Default-Response-Syslog: Offense SYSLOG Sender" you would want to adjust that rule to it alerts on everything. I would suggest changing the rule to be like the attached screenshot.
now you would want to search against the system notification messages for:
the full message will be similar to:
Jun 18 12:28:31 172.16.77.116 ecs [http://type=com.eventgnosis.system.ThreadedEventTerminator
parent=csd.localhost.com:ecs0/MPC/SyslogNG]com.q1labs.semsources.destinations.SyslogDestination: INFO NOT:0000006000http://192.168.1.234/- - -/- -Offense CRE Rule Default-Response-Syslog: Offense SYSLOG Sender fired on offense #174: Host Port Scan Detected by Remote Host
So you have the Offense ID and the Rule name that fired. You can save this search and leverage it in a report for offenses based on create time.
To get this method enhanced with something more user-friendly your best bet is to log a ticket in the self-service so we can get it assigned to a Feature Request where Product Management can see it.
Posted By Adam(q1)
Re: Yes, please do it!2012-06-18T18:28:11ZThis is the accepted answer. This is the accepted answer.Please Q1 Add this as a feature request and if not already open add all users here in this thread to it.
But there must be one already. I hope.
You should definitely post the feature requests and how many people already are attached to it. So we could see which ones can need some more weight.
Posted By pat
Re: Count me in2012-06-19T16:32:49ZThis is the accepted answer. This is the accepted answer.This would simplify things for myself and my team a great deal if we could have this feature.
Posted By Andy Myers
Re: You can add me to the feature2012-08-14T02:08:30ZThis is the accepted answer. This is the accepted answer.You can add me to the feature request as well
Posted By EP@UO
Re: New Offenses Report2013-02-12T10:10:18ZThis is the accepted answer. This is the accepted answer.Can anyone please let me know if anyone has got a workaround on this problem?
I wanted to generate a report of new offenses received in last 12 / 24 hours.
Posted By Omkar Soman
Re: Report on New Offenses created in the last 24 hours2013-02-12T15:25:41ZThis is the accepted answer. This is the accepted answer.This is something thing I worked with a customer to create and what I think you are looking for.
1. create an offense rule
Select offense tab – Rules – Action – “New Offense Rule”
In the test search put in ‘new”
Select “when a new offense is created”
Name the Rule and select a group if desired – “Next” – Good name is “New Offense Count”
Under Rule Response select to “Send to Local Syslog”
Ensure it is enables and then “Finished”
2. In the “Log Activity” tab – Find the syslog that the rule might create
Search – “New Search”
Time Range – Start at 5 minutes
Search Parameters – Log source -> “System notification console” and payload contains “SyslogDestination”
3. Perform the search till you see an event that was created by the new rule
Sep 26 11:56:22 127.0.0.1 ecs [http://type=com.eventgnosis.system.ThreadedEventTerminator
parent=csd7.q1labs.lab:ecs0/MPC/SyslogNG]com.q1labs.semsources.destinations.SyslogDestination: INFO NOT:0000006000http://172.16.77.107/- - -/- -Offense CRE Rule New Offense Count fired on offense #73: Local TCP Scanner Detected
4. After finding this event you will need to create a couple custom properties for it
a. First custom property for the Offense Number
With an event like the above open select “Extract Property”
- New Property – Offense Number
- Select -- “Optimize parsing for rules, reports, and searches
- Field Type – AlphaNumeric
- In the Property Expression Definition section everything should be fine other then needing a RegEx: -- offense\s#(.*?):
- Insure that the offense number is highlighted and Save
b. Second custom Property is for Offense Name which is the name of the rule that created the offense.
-> Follow the same steps as the first custom property other then:
New Property – Offense Name
RegEx -- offense\s#(.?)#\s(.*) and Capture Group is “2”
5. Create a couple searches to use in the report (The you may want to tweak a little)
Create the same search as in step 2 but in the “Column Definition” you are going to want to remote all the “Group By” and “columns” pre selected on the right. Now look for your newly created filters in the “Available Columns” and add them to your “Group By” on the right. Search and look at the search results to see if this is what you may want to see. Another search for just total offenses created they could create another custom property with RegEx: Offense\sCRE\sRule\s(.*?)\sfired
Then if you create a saved search with just that in the “Group By” it could be another report the customer is looking for.
6. Create a report using the saved Event searches.
Posted By dale.beresford