Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
26 replies Latest Post - ‏2013-05-24T06:46:16Z by OmkarS
SystemAdmin
SystemAdmin
168 Posts
ACCEPTED ANSWER

Pinned topic Report on Open vs. Closed Offenses?

‏2010-02-18T22:09:46Z |
Looking for some sort of report showing number of new offenses, number of current offenses, and number of closed offenses per day/week/month. This is meant to be a productivity measure for our incident response folks. Obviously you can report on new offenses, but I can't figure out how to graph "open offenses" vs. "closed offenses". Any thoughts, or am I missing something obvious?-------Posted BY PaulD
Updated on 2013-02-12T15:36:33Z at 2013-02-12T15:36:33Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: report for an offense

    ‏2010-02-25T13:30:52Z  in response to SystemAdmin
    I have a same type of query. How can I generate a report for an Offense say offense 1238?
    Posted By Guest
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Wow.. this is very old and no

    ‏2010-03-11T13:48:09Z  in response to SystemAdmin
    Wow.. this is very old and no one answered it...

    This is something that can be done with the audit events.

    You would first need to go to the event viewer, filter for the System-Audit device, and filter the events you want, in this case "Offense Close". The choose "display" by "Event Name" at the top of the screen. That should give you little search that shows the number of offenses closed during your search time.

    Save that search criteria with a name you will remember in the next step.

    Go to reports and setup a new daily, weekly, monthly report, choose 'events' as the chart type. Then pull up your saved search and switch the X axis to time.
    Posted By sandy.bird
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Thanks for the update...

    ‏2010-10-13T18:09:12Z  in response to SystemAdmin
    Well I just needed this too... I'm going out on a limb here.... Was this requested as an enhancement? As most will attest to, being able to report on the kinds of offenses (trending) is going to have more importance than the sheer number of offenses closed.
    Thanks
    Posted By Guest
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: you may be able to use the

    ‏2010-10-23T16:52:35Z  in response to SystemAdmin
    you may be able to use the system notification records to see how many offenses have been scheduled (it will say scheduling X of X offenses). I am not aware of a method to specific display which offense IDs have been created.
    Posted By Aaron.Breen
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: I think there may be a way to

    ‏2010-11-05T12:28:00Z  in response to SystemAdmin
    I think there may be a way to do this. Look at the qradar.log for init-sched for new offenses created

    cat /var/log/qradar.log | grep -i 'init-sched'

    This should show the new number of offenses. You can put this in a custom property, save the search then base a report off it.
    Posted By Aaron.Breen
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Possible in v7.0?

    ‏2011-03-15T15:22:21Z  in response to SystemAdmin
    I had a simple report that showed the number of offenses that have been created and closed per week in version 6.3.1.

    However, I've recently upgraded to version 7.0 and can't work out how to get this same report.

    Any ideas??!!
    Posted By dingall
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: offense-report in V7.0

    ‏2011-04-11T12:41:55Z  in response to SystemAdmin
    I have the same request and issue - reporting worked in 6.3 and no more in 7.0 ( and hoped it was improved but now its gone ... )
    Tried to substitute with the suggested queries on qradar.log, but to me it's not clear how to analyse the grep-ed results. Why isn't there a simple built in query on new, open and closed offenses per day / week / month.
    Managers and controllers want to have reports about
    Posted By franz.leippert
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: add me in

    ‏2011-04-11T15:38:43Z  in response to SystemAdmin
    just wanted to say that I would be interested as well.
    Posted By pat
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Has anyone managed to work

    ‏2011-07-06T14:48:26Z  in response to SystemAdmin
    Has anyone managed to work out a solution to this yet?

    It's seems to be easy enough to create a search for "Offense Closed" events, which can then be used in a report, but I haven't yet been able to create an "Offense Opened/Created" search. There are some QID's that look like they should return the right results, but it looks to me like there is no event recorded in the SIM logs in QRadar that indicates a new offense has been created.

    This seems like a fairly basic requirement, so I'm surprised it's so hard to find!
    Posted By dingall
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Offense from CSV

    ‏2011-07-20T20:39:40Z  in response to SystemAdmin
    OK, I'm approaching this from a different direction.. I've exported the offenses in a CSV format and I'm able to pull some of this information... I can see when the offense was generated in the "formattedstarttime" column, and assigned time "formattedendtime". The time to assign is shown in "formattedDuration". The "dismissedCode" is where you can see the change from open (0) to closed (2). This may not be anything new to anyone at this point... but I thought I'd offer this up.
    If anyone has happened to find a code to show the timestamp when the offense is actually closed please let me know.
    Thanks and good luck.
    Posted By Guest
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Looks like a lot of us need this for mgmt

    ‏2011-07-22T16:27:08Z  in response to SystemAdmin
    Good thoughts here but it would be nice to have pre-built reports. Management loves graphs and reports.
    Posted By searlss2
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Offense reports

    ‏2011-08-30T15:17:18Z  in response to SystemAdmin
    Interest here too in being able to generate reports based on Offense data.
    Posted By Guest
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Clarify the CSV headings

    ‏2011-10-04T17:54:29Z  in response to SystemAdmin
    I too am looking for open/closed metrics but I wanted to clarify the headings in the exported CSV file mentioned above. The "FormattedEndTime" mentioned above is not the time the offense was assigned but the time the last item (Either an event or flow) associated with the offense was added to the offense. The "FormattedDuration" is the length of time the offense took place (FormattedStartTime subtracted from the FormattedEndTime) and unfortunately the CSV export does not include a time the offenses were closed (at least not that I could find).
    I still have not found a consistent method to pull the time an offense was actually closed. We can hope this makes it into a feature request soon. :)
    Posted By Smack
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Offense Reports

    ‏2012-02-13T20:37:09Z  in response to SystemAdmin
    I am also looking for a Offenses report that would show date and time created and date and time closed.
    Posted By tod.chapman
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Offense Reports for SOC.

    ‏2012-03-05T20:51:53Z  in response to SystemAdmin
    I am also looking for a Offenses report that would show date and time created and date and time closed.
    Posted By snagarajan
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Offense report

    ‏2012-05-03T13:56:57Z  in response to SystemAdmin
    Did anyone get a answer to this questions ' a report for a offenses report that would show date and time creatd and data and time closed.'

    I really need this type of information since more that one person is working these offenses.

    thanks
    Loretta
    Posted By Loretta Sanford
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Need trending report for offenses

    ‏2012-05-08T20:45:34Z  in response to SystemAdmin
    This thread is over 2 years old, but I don't see any real answers to Paul's original question (which is exactly what I need as well):

    "Looking for some sort of report showing number of new offenses, number of current offenses, and number of closed
    offenses per day/week/month. This is meant to be a productivity measure for our incident response folks. Obviously
    you can report on new offenses, but I can't figure out how to graph "open offenses" vs. "closed offenses". Any
    thoughts, or am I missing something obvious?"

    I can of course run manual queries on offenses but don't see any way to run a report with historical information on offenses (or even how to use a saved offense query!) We also need to see the date/time offense was created, the assignee and when the offense was closed.

    I seriously can't believe there's not a stock report for something like that. Hopefully I'm missing something and someone can point me in the right direction.

    Thanks!
    Posted By Moonbeam
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: No Report

    ‏2012-05-09T14:40:04Z  in response to SystemAdmin
    I opened a support ticket to see if a report was in the works or if they had a query to provide and basically got that we can run a query based on the 30 days retention but that is it.

    smile
    Loretta
    Posted By Loretta Sanford
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Hi Guys, To get a report of

    ‏2012-06-18T15:40:24Z  in response to SystemAdmin
    Hi Guys,

    To get a report of this data in the current product it would require two components, the first was descibed by Sandy in post #2, you can search against the audit trail in event viewer for "OffenseClosed" this will bring back the records of the offenses with their close time. Create any extracted properties you want and adjust your columns to produce a saved search appropriate to your report.

    To get the offense Created is a bit harder, you would need to turn on the syslog notifications for your custom event rules or enable the default rule: "Default-Response-Syslog: Offense SYSLOG Sender" you would want to adjust that rule to it alerts on everything. I would suggest changing the rule to be like the attached screenshot.
    now you would want to search against the system notification messages for:
    "com.q1labs.semsources.destinations.SyslogDestination"

    the full message will be similar to:
    Jun 18 12:28:31 172.16.77.116 ecs [http://type=com.eventgnosis.system.ThreadedEventTerminatorparent=csd.localhost.com:ecs0/MPC/SyslogNG] com.q1labs.semsources.destinations.SyslogDestination: INFO NOT:0000006000http://192.168.1.234/- - -/- -Offense CRE Rule Default-Response-Syslog: Offense SYSLOG Sender fired on offense #174: Host Port Scan Detected by Remote Host

    So you have the Offense ID and the Rule name that fired. You can save this search and leverage it in a report for offenses based on create time.

    To get this method enhanced with something more user-friendly your best bet is to log a ticket in the self-service so we can get it assigned to a Feature Request where Product Management can see it.

    Adam.
    Posted By Adam(q1)
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Yes, please do it!

    ‏2012-06-18T18:28:11Z  in response to SystemAdmin
    Please Q1 Add this as a feature request and if not already open add all users here in this thread to it.

    But there must be one already. I hope.

    You should definitely post the feature requests and how many people already are attached to it. So we could see which ones can need some more weight.


    Posted By pat
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Count me in

    ‏2012-06-19T16:32:49Z  in response to SystemAdmin
    This would simplify things for myself and my team a great deal if we could have this feature.
    Posted By Andy Myers
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: You can add me to the feature

    ‏2012-08-14T02:08:30Z  in response to SystemAdmin
    You can add me to the feature request as well
    Posted By EP@UO
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: New Offenses Report

    ‏2013-02-12T10:10:18Z  in response to SystemAdmin
    Can anyone please let me know if anyone has got a workaround on this problem?
    I wanted to generate a report of new offenses received in last 12 / 24 hours.
    Posted By Omkar Soman
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Report on New Offenses created in the last 24 hours

    ‏2013-02-12T15:25:41Z  in response to SystemAdmin
    This is something thing I worked with a customer to create and what I think you are looking for.

    1. create an offense rule
    Select offense tab – Rules – Action – “New Offense Rule”
    In the test search put in ‘new”
    Select “when a new offense is created”
    Name the Rule and select a group if desired – “Next” – Good name is “New Offense Count”
    Under Rule Response select to “Send to Local Syslog”
    Ensure it is enables and then “Finished”

    2. In the “Log Activity” tab – Find the syslog that the rule might create
    Search – “New Search”
    Time Range – Start at 5 minutes
    Search Parameters – Log source -> “System notification console” and payload contains “SyslogDestination”

    3. Perform the search till you see an event that was created by the new rule

    Sep 26 11:56:22 127.0.0.1 ecs [http://type=com.eventgnosis.system.ThreadedEventTerminatorparent=csd7.q1labs.lab:ecs0/MPC/SyslogNG] com.q1labs.semsources.destinations.SyslogDestination: INFO NOT:0000006000http://172.16.77.107/- - -/- -Offense CRE Rule New Offense Count fired on offense #73: Local TCP Scanner Detected

    4. After finding this event you will need to create a couple custom properties for it

    a. First custom property for the Offense Number

    With an event like the above open select “Extract Property”

    • New Property – Offense Number

    • Select -- “Optimize parsing for rules, reports, and searches

    • Field Type – AlphaNumeric

    • In the Property Expression Definition section everything should be fine other then needing a RegEx: -- offense\s#(.*?):

    • Insure that the offense number is highlighted and Save

    b. Second custom Property is for Offense Name which is the name of the rule that created the offense.

    -> Follow the same steps as the first custom property other then:

    New Property – Offense Name

    RegEx -- offense\s#(.?)#\s(.*) and Capture Group is “2”

    5. Create a couple searches to use in the report (The you may want to tweak a little)

    Create the same search as in step 2 but in the “Column Definition” you are going to want to remote all the “Group By” and “columns” pre selected on the right. Now look for your newly created filters in the “Available Columns” and add them to your “Group By” on the right. Search and look at the search results to see if this is what you may want to see. Another search for just total offenses created they could create another custom property with RegEx: Offense\sCRE\sRule\s(.*?)\sfired

    Then if you create a saved search with just that in the “Group By” it could be another report the customer is looking for.

    6. Create a report using the saved Event searches.
    Posted By dale.beresford
  • SystemAdmin
    SystemAdmin
    168 Posts
    ACCEPTED ANSWER

    Re: Thanks for a quick reply

    ‏2013-02-12T15:36:33Z  in response to SystemAdmin
    Thanks for a quick reply Dale. This is really helpful. I will try this and let you know about the result.
    Posted By Omkar Soman
  • OmkarS
    OmkarS
    3 Posts
    ACCEPTED ANSWER

    Updated Offenses Report

    ‏2013-05-24T06:46:16Z  in response to SystemAdmin

    Hello Team,

     

    I posted a query in this thread some months ago, regarding new offense count. Now i am looking for a report of updated offenses.

    As per my understanding, we need to create new offense rule and a custom property for it like last time. Can someone please help?