IBM Support

QRadar: How to confirm the Console is creating offenses

How To


Summary

Some customers configure QRadar to generate offenses frequently, while the other installations are highly tuned and might generate a few offenses per day. This technical note discusses methods to quickly confirm that the system is healthy and is active updating offenses with new event or flow information.

Environment

QRadar creates offenses with the Magistrate (MPC) component. The magistrate exists on the QRadar Console and it is responsible for correlating enabled rules with incoming event notifications from the multiple other Event Processors (EP) in the deployment.
The magistrate needs at least one Event Processor (ecs-ep). The Console includes an ecs-ep service or the magistrate can receive data from any additional number of separate Event Processor appliances.
The magistrate is composed of the following components: 
  • Offense rules - Generates offenses for events based on rules defined within QRadar
  • Offense Management - Updates offenses as new events come in that match previously created offenses
  • Offense Storage - Stores the offenses within the Postgres offense table.
These three components work concurrently to determine whether an offense requires an update or if a new offense is required. New offenses are generated when the enabled rule matches all the tests to True and the rule action is configured to generate an offense.

How to confirm offenses update in the user interface

  1. Click the Offense tab.
  2. Click the Last Event/Flow column to sort offenses by the latest update.
  3. Newly added events or flows indicate that the system is healthy and updating active offenses.
    image-20220331234656-1

How to use the command line to confirm offense updates

  1. Log in to the QRadar Console as the root user. 
  2. Navigate to the /var/log directory.
  3. Select one of the following commands to view information about recent offenses:
  • grep MPC qradar.log | grep Processed| tail -n1
  • grep MPC qradar.log | grep Scheduling| tail -n1
    For example,
    image-20220331234707-2

    Results
    If offenses are being active generated, messages post every minute to qradar.log with details from the MPC of processed or scheduled offenses to be created. Be aware, the output can display nonzero results for the offense. The values are updated as the offense receives more information from an event or flow.

Additional Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"TS008464639","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 March 2022

UID

ibm16558024

Page Feedback