Ingesting the sample IBM QRadar offenses

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 2 Minuten Lesedauer

    • You can ingest sample offenses for one or more selected IBM QRadar rules.

    Vorbereitungen

    Role required: sn_si.admin

    Prozedur

    1. If the mapping form is not displayed, click Mapping on the progress bar.
    2. You can either pull the three most recent sample offenses or provide the unique offense IDs for the specific offenses that you want to use for your mapping experience.
      From the Ingestion Preference choice list, select one of the following:
      • Retrieve most recent offenses: The three most recent offenses for the selected rules are retrieved.
      • Select offenses based on offenses ID: Specify the offense ID for the offenses to be retrieved. You can specify a maximum of 3 offense ids separated by commas.

      IBM QRadar: Create Profile: Mapping: Default
    3. Click Fetch Sample Data to pull the latest sample offense data from the IBM QRadar console for the selected offense rules.
      The offense fields and values results are displayed as individual tabs. An offense can be triggered by three types of rules:
      • Event: In this rule, event logs are checked and if the specified criteria is met, an offense is created.
      • Flow: Network data and traffic is checked and if certain conditions are met, an offense is created.
      • Common: In this case, you can specify conditions for events or flows and either or both conditions are met, an offense is created.
      The pull for sample offenses may take a few moments. A message indicating that the transaction is working is displayed at the top of the screen. Depending on the rule or rules that triggered the offense, along with the offense fields, the event or flow fields are populated as shown in the figure below:
      IBM QRadar Mapping Sample offense and Events
      Hinweis:
      The event or flow fields displayed belong to the first event or flow field that triggered the offense based on the corresponding event or flow rule.
    4. The following are custom offense fields created for this integration.
      Standard offenses fields in addition to these custom fields are available for mapping.
      • rules_contributing_to_offense: IBM QRadar rules that contributed to the offense based on the Rule ID.
      • users: User names for the offense
      • remote_destination_ip: The remote destination IPs for the offense.
        Based on the local destination IDs for the offense, the following custom local destination address fields are available:
        • local_destination_address (domain_id)
        • local_destination_address (event_flow_count)
        • local_destination_address (first_event_flow_seen)
        • local_destination_address (id)
        • local_destination_address (last_event_flow_seen)
        • local_destination_address (local_destination_address_ids)
        • local_destination_address (magnitude)
        • local_destination_address (network)
        • local_destination_address (offense_ids)
        • local_destination_address (local_destination_ip)
      • The following source addresses are available based on the source IDs of the offense:
        • source_addresses (domain_id)
        • source_addresses (event_flow_count)
        • source_addresses (first_event_flow_seen)
        • source_addresses (id)
        • source_addresses (last_event_flow_seen)
        • source_addresses (source_address_ids)
        • source_addresses (magnitude)
        • source_addresses (network)
        • source_addresses (offense_ids)
        • source_addresses (source_ip)

      Select the Fetch additional event and flow fields (Optional) check box. You can fetch sample event and flow data from any active, valid custom event and flow fields. Specify the custom fields separated by commas as shown below:


      IBM QRadar: Create Profile: Mapping: Custom
      Click Fetch Sample Data. The specified event or flow fields along with their values (if available) are appended to the Event or Flow section as shown below:
      IBM QRadar: Create Profile: Mapping: Custom: Result
      After you fetch the sample data, the corresponding values for these fields are populated on the left side of the form.
      IBM QRadar: Create Profile: Populated Offenses

    Nächste Maßnahme

    After you have fetched the sample data, the next step is map the offense fields to the security incident.