IBM Support

QRadar: Why are Offenses generated from Historical Correlation named strangely

Question & Answer


When I generate Offenses using a Historical Correlation profile, why don't I get the Offense names I expect?


Offenses generated during a Historical Correlation run are named with the low-level category of the first triggering event.

When events match a Rule during a Historical Correlation run, the only action taken by the system will be to generate an Offense if the Rule is configured to do so. All additional actions and responses will be ignored, including the generation of Custom Rule Engine events configured to contribute to Offense naming.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000bpR7AAI","label":"QRadar->Log Activity->Historical Correlation"},{"code":"a8m0z000000GngJAAS","label":"QRadar->Network Activity->Historical Correlation"},{"code":"a8m0z000000GnggAAC","label":"QRadar->Networking->Offense Management"}],"ARM Case Number":"TS003706059","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 June 2020