SEPM "Threat detected / Not cleaned" (log only) event not found in QRadar after being processed by Integrated Cyber Defense Exchange

book

Article ID: 209286

calendar_today

Updated On:

Products

Integrated Cyber Defense Exchange ICDx

Issue/Introduction

You are not able to find a SEPM detection event with the action of "Leave alone (log only)" or "Potential risk found (Left alone)" in QRadar after being processed through the Integrated Cyber Defense Exchange product.

 

Cause

This may be related to a misunderstanding of the mapping.

Environment

Release : 1.4.2

Component : SEPM collector, QRadar app

Resolution

Leave alone (log only) evens are mapped from ICDx to the QRadar app based on the following:

<qidmap>
    <severity>1</severity>
    <lowlevelcategory>19001</lowlevelcategory>
    <reverseip>false</reverseip>
    <qid>1002250283</qid>
    <ratethreshold>0</ratethreshold>
    <rateinterval>0</rateinterval>
    <qdescription>File Detection events report the detection and resolution of file threats or policy violations.</qdescription>
    <catpipename>Echo</catpipename>
    <ratelongwindow>0</ratelongwindow>
    <qname>File Detection: Logged</qname>
    <rateshortwindow>0</rateshortwindow>
    <id>649895</id>
</qidmap>

So, the information of note from above:

<qname>File Detection: Logged</qname>
<qid>1002250283</qid>
<id>649895</id>

You can use the values above to discover the log only events in QRadar.