IBM Support

Troubleshooting the "Ensure the detected event is part of an offense" Rule Action not preventing offenses from being added

Troubleshooting


Problem

The option, "Ensure the detected event is part of an offense" does not prevent events from being added to the new offense when the rule has a stateful.

Symptom

Offenses generated by stateful rules include both CRE events and events detected by the tests when the wanted behavior is to include CRE events only.
 
A stateful rule is one such as "when at least this many events are seen with the same event properties in this many minutes"
stateful rule

Example of an affected rule:

We show how to apply the work-around to this affected rule in the Resolving the Problem section.
  • Rule tests:
    • when the event category for the event is one of the following Exploit.Misc Exploit
    • when at least 3 events are seen with the same Source IP and different Event Name in 30 minutesrule
  • Rule Action: Do not check "Ensure the detected event is part of an offense"  
  • Rule Response: Check "Dispatch New Event" and "Ensure the dispatched event is part of an offense"rule2

Resolving The Problem

Users can use offense chaining to fix this issue. To set up offense chaining, remove the offense generation from the first rule, then create a second rule that tests for the first rule and generates the wanted offense.

Workaround

  1. Edit the first rule's response so that it does not generate an offense. Take note of the Event Name.
    rule
  2. Create a second rule that tests for the event generated by the first rule by monitoring for the event property Event Name and match the name of the event from the first rule.
    Second rule
  3. Set this second rule to generate the wanted offense.
Result
The second rule generates offenses that contain CRE events only. The first rule does not generate offenses.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS007811578","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 April 2022

UID

ibm16567811

Page Feedback