IBM Support

QRadar: Creating offenses to monitor internal log sources



I would like to know how to create a rule for QRadar to generate offenses when my internal log sources stop sending events, such as SIM-Audit.


This rule is intended to fire offenses every 30 minutes when QRadar does not detect an event from an internal log source for 1 hour. Internal log sources, especially SIM Audit is critical to QRadar as many administrators use SIM Audit data for reporting on QRadar user activity and meeting compliance requirements in corporate environments.

Resolving The Problem

What are internal log sources?
There are several internal DSMs included by default with QRadar installations that are non-configurable and used to parse events generated by QRadar itself. As of QRadar 7.2.7 these internal log sources do not count against your EPS limit. Internal log sources that cannot be added as a "Log Source Type" in the interface as they are intentionally hidden from the log source configuration user interface. These log sources can be searched on from the Log Activity screen for administrators interested in tracking events generated by QRadar.

Types of data collected by internal log sources:
  • Anomaly detection engine - events that fire in result to the Anomaly Detection Engine such as threshold events.
  • Asset Profile - events that come from the Asset Profiler such as discovery of a new asset, asset IP change, or new MAC detected.
  • Health Metrics - events that are designed to process information about the health of the appliance such as disk space, CPU usage, or performance.
  • Search Results - events related to running searches.
  • System Notification - events that come from the system logs of the appliance such as: power on, power off, disk usage, service starting, and service stopping.
  • SIM Generic Log DSM - general bucket for unknown events.
  • SIM Audit - events of activity that took place in QRadar by users. SIM Audit events are written to disk in the /var/log/audit directory.
  • Custom Rule Engine - events from the Custom Rule Engine (CRE) Engine such as: timeout, warning, or errors.

How to view internal log sources

Internal log sources are by default added to the log source group 'Other'. On new QRadar installations, these log sources are listed in the 'Other' category. In the Log Activity tab, if you use Add Filter > Log Sources [Indexed] > Other, you can see all DSMs and filter against internal DSMs, as all events display in the Log Activity screen.

When you install a fresh QRadar installation, there are no log sources listed, however, can see events from other processes communicating in the deployment. For example, Health Metrics, Asset Profiler, QRadar Risk Manager has a DSM, if it is activated in QRadar. Our internal DSMs on a default appliance usually have a -2 at the end. There is also a Custom Rule Engine DSM and a SIM Generic DSM, however, these only create events based on rule responses or when unknown events are forwarded to QRadar, which are user actions. You can think of internal DSMs as QRadar processes communicating and creating messages for the deployment of things we want to keep track of, like system notifications and health metrics. 

Figure 1: Example of several QRadar Internal DSMs

How to create a rule in QRadar that monitors SIM-Audit events

The procedure outlined in this section informs administrators how to manually create an offense for an internal QRadar log source. Administrators interested in monitoring QRadar Audit events for security purposes can install the IBM QRadar Security Analytics Self Monitoring content extension. The Analytics Self Monitoring content extension includes a number of default rules, reports, and searches to assist users with common monitoring use cases. For more information, see the content extension documentation.
  1. Log in to QRadar.
  2. Click the Offenses tab.
  3. Click the Rules icon.
  4. Click Actions > New Event Rule.
  5. Double-click to add the rule test: + when the events(s) have not been detected by one or more of these log source types for this many seconds.

    Figure 1: Use the rule test 'these log source types' to keep the rule test host independent.
  6. Type a name for the rule, such as QRadar SIM Audit Events Stopped.
  7. From the rule editor, click these log sources types and select SIM Audit.

    Figure 2: Select SIM Audit as the log source type.
  8. Click Submit.
  9. From the Rule Response Wizard, configure the following values:

    Figure 3: Configure your rule similar to the screen capture and ensure the rule indexes the offense by Log Source.
  10. Click Next.
  11. Review the rule summary.

    Figure 4: Review the log source summary.
  12. Click Finish.

    The rule is created to monitor for SIM Audit events that do not send data for 1 hour. If an administrator receives this offense, they can run a search sorted by SIM Audit to verify when the log source stopped sending. A search can be run to verify that SIM Audit data is being generated. If for any reason your SIM Audit log source stops creating events, you can review System Notifications on the Dashboard for issues or contact QRadar Support for assistance.

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"},{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.3;7.4.2"}]

Document Information

Modified date:
02 June 2021