Question & Answer
Question
Can I limit the number of offenses that are created from a Rule by configuring the Response Limiter?
Answer
The Response Limiter does not limit the generation of offenses.
Whenever an event is seen by the Custom Rule Engine (CRE) that matches a Rule configured to add that matching event to an offense, information about the event is generated and sent to the Magistrate. The Magistrate is responsible for managing offenses in the SIM Model. When information associated within the event reaches the Magistrate, a check for a new offense is opened unless another offense with the same source and index value exists.
The most common way of generating offenses is to enable the "Ensure the detected event is part of an Offense" option on the Rule Wizard: Rule Response page. When this option is enabled, the action is taken for every event matching the Rule, regardless of the Response Limiter. "Ensure the detected event is part of an Offense" is the only Action that is not influenced by the Response Limiter.
Whenever an event is seen by the Custom Rule Engine (CRE) that matches a Rule configured to add that matching event to an offense, information about the event is generated and sent to the Magistrate. The Magistrate is responsible for managing offenses in the SIM Model. When information associated within the event reaches the Magistrate, a check for a new offense is opened unless another offense with the same source and index value exists.
The most common way of generating offenses is to enable the "Ensure the detected event is part of an Offense" option on the Rule Wizard: Rule Response page. When this option is enabled, the action is taken for every event matching the Rule, regardless of the Response Limiter. "Ensure the detected event is part of an Offense" is the only Action that is not influenced by the Response Limiter.
The only way to influence offense generation with the Response Limiter field would be to rely only on the Custom Rule Engine generated events for offense creation.
- Open the Rule in the Rule Wizard, and click Next until you reach the Rule Response page.
- Disable the "Ensure the detected event is part of an Offense" option on the Rule Wizard: Rule Response page.
- Enable "Dispatch New Event".
- Configure the Event Name, Event Description fields.
- Enable the option "Ensure the dispatched event is part of an Offense" and select your choice under Offense Naming.
- Configure the Response Limiter to the time of your choice.
- Save and close the Rule.
Results
When an event matches a Rule configured this way, the triggering event is not added to an offense. However, the generated CRE event creates a new offense or is added to an existing offense. The main drawback of this approach is that the related events are not associated with the offense.
To find the associated events that triggered the Rule, you need to run a Log Activity search by using the name of the Custom Rule and the value of the index field.
For example, an offense is generated at 4:30 PM by using this technique with a Rule named "Data Exfiltration" and indexed on the property "Computer Name (custom)" for the value "WorkstationAlpha". The Offense ends at 4:45 PM.
A search for the associated events would need to look for "Custom Rule equals Data Exfiltration; Computer Name (custom) equals "WorkstationAlpha" from 4:30 PM to 4:45 PM.
A search for the associated events would need to look for "Custom Rule equals Data Exfiltration; Computer Name (custom) equals "WorkstationAlpha" from 4:30 PM to 4:45 PM.
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
03 June 2021
UID
ibm16445431