IBM Support

IJ30912: RULES CAN SOMETIMES FAIL TO RENAME OFFENSES AS EXPECTED, USING INSTEAD THE LOW LEVEL CATEGORY OF THE CONTRIBUTING EVENT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • In some instances where an Offense is closed, those rules that
    generate a subsequent Offense can fail to rename the rule as
    expected and the Offense is created again with a different name
    that usually corresponds to the Low Level Category (LLC) of the
    contributing event.
    For example:
    1) Have a custom rule -
     and when an event matches any of the following
    BB:DeviceDefinition: IDS / IPS
     and when the event category for the event is one of the
    following Exploit.Misc Exploit
     and NOT when the event QID is one of the following
    (5771846) Shell_Command_Injection
     and NOT when the destination port is one of the following
    445
     and when at least 3 events are seen with the same Source IP
    and different Event Name in 30 minutes
    Rule Action:
     Ensure the detected event is part of an offense
    Rule Response:
     Ensure the dispatched event is part of an offense
    Offense Naming:
     This information should contribute to the name of the
    associated offense(s)
    2) Have events that match the rule, checking that the Offense
    was generated and a Custon Rule Engine (CRE) event, and was
    renamed correctly as configured above.
    3) Close the Offense within 30 minutes.
    4) Have events that match the rule again.
    Expected Result: Another Offense is generated  with CRE event
    and named correctly.
    Actual Results: No CRE event was dispatched, and as a result
    the new Offense is named by LLC
    

Local fix

  • No workaround available.
    APARs identified with no workaround may require a software
    delivery to resolve. This reported issue will be considered for
    a future release and administrators can subscribe to the APAR
    to get updates by clicking on the Subscribe button on the right
    side of thi spage or ask a question about this APAR in our
    Support Forums.
    https://ibm.biz/qradarforums
    

Problem summary

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    1 and 7.3.3 FixPack 9.
    

Problem conclusion

  • This issue was fixed in QRadar QRM QVM release of 7.4.3 FixPack
    1 and 7.3.3 FixPack 9.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ30912

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    741

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-02-16

  • Closed date

    2021-07-13

  • Last modified date

    2021-07-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    QRADAR SOFTWARE

  • Fixed component ID

    5725QRDSW

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"741"}]

Document Information

Modified date:
24 July 2021