Offense indexing

Offense indexing provides the capability to group events or flows from different rules indexed on the same property together in a single offense.

IBM QRadar uses the offense index parameter to determine which offenses to chain together. For example, an offense that has only one source IP address and multiple destination IP addresses indicates that the threat has a single attacker and multiple victims. If you index this type of offense by the source IP address, all events and flows that originate from the same IP address are added to the same offense.

You can configure rules to index an offense based on any piece of information. QRadar includes a set of predefined, normalized fields that you can use to index your offenses. If the field that you want to index on is not included in the normalized fields, create a custom event or a custom flow property to extract the data from the payload and use it as the offense indexing field in your rule. The custom property that you index on can be based on a regular expression, a calculation, or an AQL-based expression.