Correlating Security Events in QRadar

What Is This Skill?

The "Correlating Security Events in QRadar" skill enables security operations center (SOC) teams and detection engineers to effectively analyze, correlate, and respond to security events within the IBM QRadar Security Information and Event Management (SIEM) platform. By leveraging Ariel Query Language (AQL), custom rules, and building blocks, this skill empowers users to detect and investigate sophisticated multi-stage attacks that span across various log sources such as network devices, endpoints, and applications. It also guides users in managing offenses-QRadar's mechanism for aggregating and prioritizing related security events-and tuning detection logic to minimize false positives.

This skill is designed for hands-on practitioners who need to move beyond basic log monitoring. It provides a framework for combining multiple data points from diverse sources, enabling comprehensive threat detection and investigation workflows within QRadar.

Why Use It?

Traditional event monitoring in SIEM platforms often generates large volumes of noisy alerts, many of which are false positives or lack sufficient context for meaningful investigation. Attackers increasingly use multi-step techniques that can evade detection if events are analyzed in isolation. By correlating events in QRadar, analysts can:

• Uncover Attack Chains: Link seemingly unrelated events into a coherent timeline, revealing tactics such as lateral movement, privilege escalation, or command-and-control activity.
• Reduce Alert Fatigue: Use custom rules and building blocks to suppress benign activity, highlight true positives, and focus analyst attention on genuine incidents.
• Improve Incident Response: Access detailed offense data and context, allowing for faster triage and containment of active threats.
• Customize Detection: Adapt the SIEM’s detection logic to suit the organization’s specific environment, use cases, and threat landscape.

This skill is essential for organizations seeking to mature their SOC operations, strengthen their detection engineering capabilities, and maximize the value of their QRadar deployment.

How to Use It

1. Investigate

Offenses

Begin by reviewing offenses generated within QRadar. Offenses aggregate related events based on rules, source/destination IPs, usernames, and other criteria. Each offense provides a summary, contributing events, and a timeline of activity.

Example: Query Offense Events using AQL

To drill down into a specific offense, use the Ariel Query Language (AQL) to search the event database:

SELECT * FROM events
WHERE offense_id = 4567
ORDER BY starttime DESC
LIMIT 50

Replace 4567 with the actual offense ID. This query retrieves the 50 most recent events associated with the offense for detailed analysis.

2. Build Custom Correlation

Rules

Custom rules allow QRadar to detect complex attack patterns by correlating events across multiple log sources. Use the Rule Wizard in QRadar to define conditions, thresholds, and actions.

Example: Correlating Lateral Movement

Suppose you want to detect a sequence where a user authenticates to multiple hosts within a short timeframe (indicative of lateral movement):

• Building Block: "Multiple Successful Logins from Single User"
• Rule: "If a user logs into more than 5 hosts within 10 minutes, create an offense"

Pseudocode for the rule setup:

WHEN
  [User] has more than 5 [Successful Login] events
  FROM different [Destination IPs]
  WITHIN 10 minutes
THEN
  Create an offense: "Possible Lateral Movement"

3. Use Building

Blocks

Building blocks are reusable logic components that encapsulate common conditions, such as "Privileged Accounts" or "Critical Servers." Incorporate building blocks into rules to maintain consistency and reduce redundancy.

Example:

• Building Block: "Privileged Accounts"
• Rule: "Alert if a privileged account accesses sensitive files outside business hours"

This modular approach simplifies rule maintenance and enhances overall detection logic.

4. Tune Detection

Logic

To reduce false positives and improve detection quality:

• Refine rule conditions and thresholds based on historical event data.
• Exclude known benign sources (e.g., approved scanners or administrators).
• Leverage AQL queries to validate rule effectiveness before deployment.

Example: Exclude Known Scanner IPs

SELECT *
FROM events
WHERE eventName = 'Port Scan'
AND sourceIP NOT IN ('192.168.100.10', '192.168.100.11')

This query filters out scanner IPs, allowing analysts to focus on suspicious scans.

When to Use It

Apply this skill in scenarios such as:

• SOC Investigations: When analysts need to correlate events to understand the full scope of an incident or offense.
• Detection Engineering: While designing or tuning custom rules to identify advanced threats and reduce alert noise.
• Behavioral Analysis: To detect deviations from normal activity, such as unusual logins or data transfers.
• Continuous Improvement: During regular reviews of false positive offenses and rule effectiveness.

Do not use this skill for log source onboarding or parsing, which requires QRadar administrator access and knowledge of the Device Support Module (DSM) editor.

Important Notes

• Ensure all log sources are properly normalized and mapped to correct QRadar QIDs to enable effective correlation.
• AQL queries can be resource-intensive-use filters and limits to optimize performance.
• Only users with offense management, rule creation, and AQL search permissions should utilize this skill.
• Regularly review and update correlation rules and building blocks to adapt to evolving threats and business requirements.
• Offense management is central to QRadar’s workflow-always investigate offenses in context to avoid missing related events.

By mastering event correlation in QRadar, SOC teams and detection engineers can significantly enhance threat visibility, response times, and overall security posture.