Offense chaining causes performance issues in IBM QRadar

Offense chaining is based on the offense index field that is specified on the rule

Offense chaining is based on the generated CRE event that is specified in the rule response

A chained offense is identifiable when "preceded by" is in the Descriptions field on the Offense Summary page

If the rule is configured to use the Source IP address as the offense index field, there is only one offense that has that Source IP address, regardless of the offense status

Rule type

Rule response

Offense index field

Rule response limiter

Offense Summary > By Source IP

Offense Summary > New Search > Advanced Search

Log Activity > Offense Source Summary > Offenses

Log Activity > Add Filter > Source IP > offense_assigned

Mappings can be a log source configuration backup solution

The export can be a log source group configuration backup solution

MITRE coverage file can be imported into MITRE ATT&CK Navigator

The export contains event details which can be re-run by using the QRadar Experience Center app

Relevance

Credibility

Event severity

Trustworthiness log

The number of rules matched to the offense

The number of searches associated with the offense

The CVSS score of the log sources that are involved in the offense

The number of events and flows that are associated with the offense

The categories, severity, relevance, and credibility of the events and flows that contribute to the offense

Stored events

Parsed events

Payload events

Unknown events