IBM Support

QRadar: Why does searching for events or flows associated with an Offense show me unrelated records

Question & Answer


Question

When you click on events or flows from an Offense, why do you sometimes see events that are not associated with the Offense, or do not match the full criteria of the Rule?

Cause

Some Rules use stateful tests, also called Match Count tests, which require multiple events to satisfy a condition and trigger the Rule.
When an Offense has been triggered by a Rule with a Match Count test QRadar attempts to provide additional context by showing both the events/flows explicitly associated with the Offense as well as events/flows that contributed to a full match of the Match Count test.

Answer

Definitions:
When an event or flow matches all the Rule criteria but the CRE has not yet fully matched the number of occurrences defined in the Match Count criteria, that event or flow will be marked as Partial Match for that Rule.

When an event or flow matches the criteria and the Match Count criteria have been fully satisfied, the event or flow will be marked as a Full Match for the Rule. If that Rule is configured to add events/flows to an Offense, the event/flow will also be added to the Offense, and the event/flow record will have the field Associated With Offense (referred to as HasOffense in AQL) set to True.

When a Rule is configured to add an event to an Offense, you have to define an Index field. This field will be used as the Source of the Offense.
 
What happens when searching for Events or Flows associated with an Offense:
When a user clicks on the Event or Flow links from the Offense Summary to list the events or flows associated with the Offense, the search returns all Full Match events that contributed to the Offense as well as events that were a Partial Match for the Rule(s) contributing to the Offense with the same Index/Source value.

For example:
Using the following Rule an Offense has been triggered:
Apply matchCountDemo on events which are detected by the Local system
and when at least 4 events are seen with the same Source IP in 1 minute
The Offense shows it has 1 associated event
image 5563
Clicking on the 1 events link brings us the search results for the Offense which includes the 1 Full Match event as well as the 3 Partial Match events that contributed to the Full Match:
 
image 5571
Events that are include HasOffense == True will have a red star icon in the first column on the left.
If you only want to see the events that fully matched the Rule for this Offense, you can filter out the Partial Match events by adding a filter for "Associated with Offense is True".

image 5572
What if my Match Count test uses multiple properties?
In the example, the Rule only matched against one property, which was also the property used as the Index/Source of the Offense.
If the Match Count test includes multiple properties, and the Rule is indexed only against one of them, the Partial Match events may include events that partially match the Rule and have the same Source value as the Full Match event that triggered the Offense, but do not match the other properties.
Currently, QRadar cannot index Offenses on multiple properties, however, you may want to consider creating an AQL Custom Property to combine those fields, then use that Custom Property as the Index value for new Offenses.

If you would like to suggest that we do include multiple-property indexing for Offenses in a future version of QRadar, please consider opening a Request for Enhancement (RFE) or contact Support for assistance with doing so.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnblAAC","label":"ATS-SecIntel Backup->QRadar->Search"},{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"TS003758793","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 August 2020

UID

ibm16250893