IBM QRadar External Alerts

Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you to immediately begin investigating IBM QRadar offense alerts in the app.

Rule type: query
Rule indices:

logs-ibm_qradar.offense-*

Rule Severity: medium
Risk Score: 47
Runs every: 1m
Searches indices from: now-2m
Maximum alerts per execution: 1000
References:

https://docs.elastic.co/en/integrations/ibm_qradar

Tags:

Data Source: IBM QRadar
Use Case: Threat Detection
Resources: Investigation Guide
Promotion: External Alerts

Version: 1
Rule authors:

Elastic

Rule license: Elastic License v2

Setup

IBM QRadar Offense Integration

This rule is designed to capture offense events generated by the IBM QRadar integration and promote them as Elastic detection alerts.

To capture IBM QRadar offenses, install and configure the IBM QRadar integration to ingest offense records into the logs-ibm_qradar.offense-* index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same QRadar events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:ibm_qradar.offense to avoid receiving duplicate alerts.

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Investigation guide

Triage and analysis

Investigating IBM QRadar External Alerts

IBM QRadar is a Security Intelligence Platform that provides SIEM, log management, anomaly detection, and incident forensics. The rule promotes QRadar offense records as Elastic detection alerts, enabling analysts to investigate potential threats with full offense context including rule names, severity, and status.

Possible investigation steps

Review the offense details including rule name, description, and categories to understand the nature of the alert.
Examine the offense severity and status (OPEN, HIDDEN, etc.) to prioritize investigation.
Cross-reference the offense with QRadar console for additional context including contributing events and log sources.
Investigate source and destination networks, device count, and event count associated with the offense.
Consult the IBM QRadar investigation guide and resources tagged in the alert for specific guidance on handling similar threats.

False positive analysis

Offenses triggered by routine administrative activities or known maintenance can be false positives. Review the offense context and create exceptions for scheduled activities.
Legitimate security testing or penetration testing may generate offenses. Coordinate with security teams to whitelist these during scheduled tests.
Low-severity offenses from specific rules that are known to produce noise can be excluded by creating rule exceptions.
Offenses from development or test environments may not require investigation. Consider excluding these environments if appropriate.

Response and remediation

Isolate affected systems if malicious activity is confirmed to prevent lateral movement.
Review the offense details to identify compromised accounts, credentials, or systems and take appropriate remediation steps.
Apply relevant security patches or updates to address any exploited vulnerabilities.
Escalate to the security operations center (SOC) or incident response team for further analysis if the threat appears significant.
Document the incident and update detection logic or exceptions based on findings.

Rule Query

event.kind: alert and data_stream.dataset: ibm_qradar.offense