Investigating offenses

IBM QRadar generates offenses by testing event and flow conditions. To investigate QRadar offenses, you must view the rules that created the offense.

Procedure

  1. Click the Offenses tab.
  2. On the navigation menu, click All Offenses.
  3. Double-click the offense that you are interested in.
  4. On the All Offenses Summary toolbar, click Display > Rules.
  5. From the List of Rules Contributing to Offense pane, double-click the Rule Name that you are interested in.
    Tip: The All Offenses Rules pane might display multiple rule names if the offense generated by QRadar is triggered by a series of different tests.
    For more information about investigating offenses, see the IBM QRadar User Guide.

    Use the IBM QRadar Use Case Manager app to tune the most active rules that create offenses. Download the app at the IBM® Security App Exchange (https://exchange.xforce.ibmcloud.com/hub).