IBM Support

QRadar: Global Correlation

Question & Answer


Question

What is Global Correlation?

Answer

Gobal Correlation is:

When you have a rule that is marked to test globally, it only triggers if it's a rule with a stateful function. A rule that only tests a single event, even for multiple properties, is automatically not tested globally, to avoid unnecessary load on the event pipeline.

For example: If you have a rule that is looking for an event with user = x and source IP = y and event type is login failed, such a rule will not run a global test, as it's only testing three properties of a single event.

However, if you have a rule marked to test globally, and it contains a stateful function, that is to say, it is looking for a count of events over a period of time, each event that matches is called a partial match. When you have partial matches across multiple event processors, the concept of global rules come into play.

The event processor with the partial match will send a reference to such an event to the central event processor on the console. If another EP in another location also finds an event that matches, it also sends a reference to that event to the console for global testing, and so forth. This way the correlation across multiple event processors can be processed on the central event processor on the console.

Duplicate data from Global Cross Correlation (GCC) feature

Users may see duplicate events/flows that are generated by GCC because of the way global rules operate as explained above.

In the below diagram you can see events that look identical except for the two columns to the right: Duplicate and Event Processor.



This is because such duplicate events must be generated in the GCC mode so the magistrate can properly handle the pending offenses and
partial matches of rules along the way.

In essence:
  1. The local CRE on an EP runs through the list of tests. If the event/flow matches a rule that is tagged as global, that event/flow gets sent to the console (central CRE) for processing.
  2. The local CRE on the EP continues to run through the rest of the tests and stores the results locally, since it is the EP that received the event.
  3. The central CRE on the console receives the event and runs it through the list of global rules and tags the event with any matches it finds.
    This copy also gets stored with the duplicate flag. Magistrate can now create offenses and run pending offense queries to backfill offenses that had lead-up global events.
The search on custom rules that are matched/partially matched will then only find the duplicate event that is matched by the global rules. Other searches show both events because they both exist in the system.

Where do I find more information?


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020

UID

swg21984150