correlating-security-events-in-qradar
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/correlating-security-events-in-qradarCorrelate multi-stage attacks across QRadar log sources using AQL.
- Detects complex threats by linking events from network, endpoint, and app logs.
- Depends on IBM QRadar SIEM 7.5+ with offense management enabled.
- Executes custom rules and building blocks to identify attack patterns.
- Outputs actionable insights for SOC analysts to tune detection logic.
SKILL.md
.github/skills/correlating-security-events-in-qradarView on GitHub ↗
---
name: correlating-security-events-in-qradar
description: >
Correlates security events in IBM QRadar SIEM using AQL (Ariel Query Language), custom rules,
building blocks, and offense management to detect multi-stage attacks across network, endpoint,
and application log sources. Use when SOC analysts need to investigate QRadar offenses, build
correlation rules, or tune detection logic for reducing false positives.
domain: cybersecurity
subdomain: soc-operations
tags: [soc, qradar, siem, aql, correlation, offense-management, ibm]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Correlating Security Events in QRadar
## When to Use
Use this skill when:
- SOC analysts need to investigate QRadar offenses and correlate events across multiple log sources
- Detection engineers build custom correlation rules to identify multi-stage attacks
- Alert tuning is required to reduce false positive offenses and improve signal quality
- The team migrates from basic event monitoring to behavior-based correlation
**Do not use** for log source onboarding or parsing — that requires QRadar administrator access and DSM editor knowledge.
## Prerequisites
- IBM QRadar SIEM 7.5+ with offense management enabled
- AQL knowledge for ad-hoc event and flow queries
- Log sources normalized with proper QID mappings (Windows, firewall, proxy, endpoint)
- User role with offense management, rule creation, and AQL search permissions
- Reference sets/maps configured for whitelist and watchlist management
## Workflow
### Step 1: Investigate an Offense with AQL
Open an offense in QRadar and query contributing events using AQL (Ariel Query Language):
```sql
SELECT DATEFORMAT(startTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceIP, destinationIP, username,
LOGSOURCENAME(logSourceId) AS log_source,
QIDNAME(qid) AS event_name,
category, magnitude
FROM events
WHERE INOFFENSE(12345)
ORDER BY startTime ASC
LIMIT 500
```
Pivot on the source IP to find all activity:
```sql
SELECT DATEFORMAT(startTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
destinationIP, destinationPort, username,
QIDNAME(qid) AS event_name,
eventCount, category
FROM events
WHERE sourceIP = '192.168.1.105'
AND startTime > NOW() - 24*60*60*1000
ORDER BY startTime ASC
LIMIT 1000
```
### Step 2: Build a Custom Correlation Rule
Create a multi-condition rule detecting brute force followed by successful login:
**Rule 1 — Brute Force Detection (Building Block):**
```
Rule Type: Event
Rule Name: BB: Multiple Failed Logins from Same Source
Tests:
- When the event(s) were detected by one or more of [Local]
- AND when the event QID is one of [Authentication Failure (5000001)]
- AND when at least 10 events are seen with the same Source IP
in 5 minutes
Rule Action: Dispatch new event (Category: Authentication, QID: Custom_BruteForce)
```
**Rule 2 — Brute Force Succeeded (Correlation Rule):**
```
Rule Type: Offense
Rule Name: COR: Brute Force with Subsequent Successful Login
Tests:
- When an event matches the building block BB: Multiple Failed Logins from Same Source
- AND when an event with QID [Authentication Success (5000000)] is detected
from the same Source IP within 10 minutes
- AND the Destination IP is the same for both events
Rule Action: Create offense, set severity to High, set relevance to 8
```
### Step 3: Use AQL for Cross-Source Correlation
Correlate authentication failures with network flows to detect lateral movement:
```sql
SELECT e.sourceIP, e.destinationIP, e.username,
QIDNAME(e.qid) AS event_name,
e.eventCount,
f.sourceBytes, f.destinationBytes
FROM events e
LEFT JOIN flows f ON e.sourceIP = f.sourceIP
AND e.destinationIP = f.destinationIP
AND f.startTime BETWEEN e.startTime AND e.startTime + 300000
WHERE e.category = 'Authentication'
AND e.sourceIP IN (
SELECT sourceIP FROM events
WHERE QIDNAME(qid) = 'Authentication Failure'
AND startTime > NOW() - 3600000
GROUP BY sourceIP
HAVING COUNT(*) > 20
)
AND e.startTime > NOW() - 3600000
ORDER BY e.startTime ASC
```
Detect data exfiltration by correlating DNS queries with large outbound flows:
```sql
SELECT sourceIP, destinationIP,
SUM(sourceBytes) AS total_bytes_out,
COUNT(*) AS flow_count
FROM flows
WHERE sourceIP IN (
SELECT sourceIP FROM events
WHERE QIDNAME(qid) ILIKE '%DNS%'
AND destinationIP NOT IN (
SELECT ip FROM reference_data.sets('Internal_DNS_Servers')
)
AND startTime > NOW() - 86400000
GROUP BY sourceIP
HAVING COUNT(*) > 500
)
AND destinationPort NOT IN (80, 443, 53)
AND startTime > NOW() - 86400000
GROUP BY sourceIP, destinationIP
HAVING SUM(sourceBytes) > 104857600
ORDER BY total_bytes_out DESC
```
### Step 4: Configure Reference Sets for Context Enrichment
Create reference sets for dynamic whitelists and watchlists:
```bash
# Create reference set via QRadar API
curl -X POST "https://qradar.example.com/api/reference_data/sets" \
-H "SEC: YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Known_Pen_Test_IPs",
"element_type": "IP",
"timeout_type": "LAST_SEEN",
"time_to_live": "30 days"
}'
# Add entries
curl -X POST "https://qradar.example.com/api/reference_data/sets/Known_Pen_Test_IPs" \
-H "SEC: YOUR_API_TOKEN" \
-d "value=10.0.5.100"
```
Use reference sets in rule conditions to exclude known benign activity:
```
Test: AND when the Source IP is NOT contained in any of [Known_Pen_Test_IPs]
Test: AND when the Destination IP is contained in any of [Critical_Asset_IPs]
```
### Step 5: Tune Offense Generation
Reduce false positives by adding building block filters:
```sql
-- Find top false positive generators
SELECT QIDNAME(qid) AS event_name,
LOGSOURCENAME(logSourceId) AS log_source,
COUNT(*) AS event_count,
COUNT(DISTINCT sourceIP) AS unique_sources
FROM events
WHERE INOFFENSE(
SELECT offenseId FROM offenses
WHERE status = 'CLOSED'
AND closeReason = 'False Positive'
AND startTime > NOW() - 30*24*60*60*1000
)
GROUP BY qid, logSourceId
ORDER BY event_count DESC
LIMIT 20
```
Apply tuning:
- Add high-frequency false positive sources to reference set exclusions
- Increase event thresholds on noisy rules (e.g., 10 failed logins -> 25 for service accounts)
- Set offense coalescing to group related events under a single offense
### Step 6: Build Custom Dashboard for Correlation Monitoring
Create a QRadar Pulse dashboard with key correlation metrics:
```sql
-- Active offenses by category
SELECT offenseType, status, COUNT(*) AS offense_count,
AVG(magnitude) AS avg_magnitude
FROM offenses
WHERE status = 'OPEN'
GROUP BY offenseType, status
ORDER BY offense_count DESC
-- Mean time to close offenses
SELECT DATEFORMAT(startTime, 'yyyy-MM-dd') AS day,
AVG(closeTime - startTime) / 60000 AS avg_close_minutes,
COUNT(*) AS closed_count
FROM offenses
WHERE status = 'CLOSED'
AND startTime > NOW() - 30*24*60*60*1000
GROUP BY DATEFORMAT(startTime, 'yyyy-MM-dd')
ORDER BY day
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **AQL** | Ariel Query Language — QRadar's SQL-like query language for searching events, flows, and offenses |
| **Offense** | QRadar's correlated incident grouping multiple events/flows under a single investigation unit |
| **Building Block** | Reusable rule component that categorizes events without generating offenses, used as input to correlation rules |
| **Magnitude** | QRadar's calculated offense severity combining relevance, severity, and credibility scores (1-10) |
| **Reference Set** | Dynamic lookup table in QRadar for whitelists, watchlists, and enrichment data used in rules |
| **QID** | QRadar Identifier — unique numeric ID mapping vendor-specific events to normalized categories |
| **Coalescing** | QRadar's mechanism for grouping related events into a single offense to reduce analyst workload |
## Tools & Systems
- **IBM QRadar SIEM**: Enterprise SIEM platform with event correlation, offense management, and AQL query engine
- **QRadar Pulse**: Dashboard framework for building custom visualizations of offense and event metrics
- **QRadar API**: RESTful API for automating reference set management, offense operations, and rule deployment
- **QRadar Use Case Manager**: App for mapping detection rules to MITRE ATT&CK framework coverage
- **QRadar Assistant**: AI-powered analysis tool helping analysts investigate offenses with natural language
## Common Scenarios
- **Brute Force to Compromise**: Correlate failed auth events with subsequent successful login from same source
- **Lateral Movement Chain**: Track authentication events across multiple internal hosts from a single source
- **C2 Beaconing**: Correlate periodic DNS queries with low-entropy payloads to unusual domains
- **Privilege Escalation**: Correlate user account changes (group additions) with prior suspicious authentication
- **Data Exfiltration**: Correlate large outbound flow volumes with prior internal reconnaissance activity
## Output Format
```
QRADAR OFFENSE INVESTIGATION — Offense #12345
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Offense Type: Brute Force with Subsequent Access
Magnitude: 8/10 (Severity: 8, Relevance: 9, Credibility: 7)
Created: 2024-03-15 14:23:07 UTC
Contributing: 247 events from 3 log sources
Correlation Chain:
14:10-14:22 — 234 Authentication Failures (EventCode 4625) from 192.168.1.105 to DC-01
14:23:07 — Authentication Success (EventCode 4624) from 192.168.1.105 to DC-01 (user: admin)
14:25:33 — New Process: cmd.exe spawned by admin on DC-01
14:26:01 — Net.exe user /add detected on DC-01
Sources Correlated:
Windows Security Logs (DC-01)
Sysmon (DC-01)
Firewall (Palo Alto PA-5260)
Disposition: TRUE POSITIVE — Escalated to Incident Response
Ticket: IR-2024-0432
```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.