Table of Contents

• Creating a rule
  • QID-based rule
    • Testing the rule
  • Modifying the rule
    • Testing the modified rule
• Offense management
  • Assigning an offense to an analyst
  • Adding notes to an offense
  • Closing an offense
• More rules

Creating a rule

Go to the Offenses tab, then click on Actions and then New Event Rule.

Rule Wizard

QID-based rule

Form the rule's logic using a multitude of variables. In this case, I want an alert to sound off based on the detection of a specific QID.

Back in Log Activity, I picked an earlier event that involved creating a user account on a Windows host, and copied its QID.

Paste the QID and add it to the list.

Let's say that a suspicious account was added. Click Next.

Important: assign relevant Event Details.

Rule summary

Access the new rule whenever from the Offenses tab.

Testing the rule

Creating user account on Windows called qradar2 with password qradar.

An offense for the new rule was triggered.

More details on the event.

Modifying the rule

Let's go back and modify the rule for what I'm about to do -- creating a user on my Debian host.

QID copied

Add it to the list, so now we have two QIDs that can trigger the offense.

Finish

Testing the modified rule

Creating user named qradar2

Rule triggered

Offense Summary

Offense management

Assigning an offense to an analyst

In the Offense Summary, click on Actions and then Assign.

In this case I assigned the event to myself, admin.

The Status now reflects this change.

Adding notes to an offense

Notes can be added just as easily.

Writing the note

The note is now visible in the notes box below and the status has been updated.

Useful icons indicating the changes.

Closing an offense

Actions -> Close

Choose the reason for closing: Non-Issue, False-Positive (Tuned), Non-Issue, Policy Violation, or Custom.

Clear the "Exclude Closed Offenses" filter to see closed events.

More rules

• Multiple authentication failures in 5 minutes