correlating-security-events-in-qradar

# Correlating Security Events in QRadar ## When to Use Use this skill when: - SOC analysts need to investigate QRadar offenses and correlate events across multiple log sources - Detection engineers build custom correlation rules to identify multi-stage attacks - Alert tuning is required to reduce false positive offenses and improve signal quality - The team migrates from basic event monitoring to behavior-based correlation **Do not use** for log source onboarding or parsing — that requires QRadar administrator access and DSM editor knowledge. ## Prerequisites - IBM QRadar SIEM 7.5+ with offense management enabled - AQL knowledge for ad-hoc event and flow queries - Log sources normalized with proper QID mappings (Windows, firewall, proxy, endpoint) - User role with offense management, rule creation, and AQL search permissions - Reference sets/maps configured for whitelist and watchlist management ## Workflow ### Step 1: Investigate an Offense with AQL Open an offense in QRadar and query contributing events using AQL (Ariel Query Language): ```sql SELECT DATEFORMAT(startTime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceIP, destinationIP, username, LOGSOURCENAME(logSourceId) AS log_source, QIDNAME(qid) AS event_name, category, magnitude FROM events WHERE INOFFENSE(12345) ORDER BY startTime ASC LIMIT 500 ``` Pivot on the source IP to find all activity: ```sql SELECT DATEFORMAT(startTime, 'yyyy-MM-dd HH:mm:ss') AS event_time, destinati...