[New Rules] External Promotion Alert for IBM QRadar (#5843)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.5"
+version = "1.6.6"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

rules/promotions/ibm_qradar_external_alerts.toml

@@ -0,0 +1,109 @@
+[metadata]
+creation_date = "2026/03/17"
+integration = ["ibm_qradar"]
+maturity = "production"
+promotion = true
+updated_date = "2026/03/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each IBM QRadar offense written to the configured indices. Enabling this rule allows you
+to immediately begin investigating IBM QRadar offense alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-ibm_qradar.offense-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "IBM QRadar External Alerts"
+note = """## Triage and analysis
+
+### Investigating IBM QRadar External Alerts
+
+IBM QRadar is a Security Intelligence Platform that provides SIEM, log management, anomaly detection, and incident forensics. The rule promotes QRadar offense records as Elastic detection alerts, enabling analysts to investigate potential threats with full offense context including rule names, severity, and status.
+
+### Possible investigation steps
+
+- Review the offense details including rule name, description, and categories to understand the nature of the alert.
+- Examine the offense severity and status (OPEN, HIDDEN, etc.) to prioritize investigation.
+- Cross-reference the offense with QRadar console for additional context including contributing events and log sources.
+- Investigate source and destination networks, device count, and event count associated with the offense.
+- Consult the IBM QRadar investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Offenses triggered by routine administrative activities or known maintenance can be false positives. Review the offense context and create exceptions for scheduled activities.
+- Legitimate security testing or penetration testing may generate offenses. Coordinate with security teams to whitelist these during scheduled tests.
+- Low-severity offenses from specific rules that are known to produce noise can be excluded by creating rule exceptions.
+- Offenses from development or test environments may not require investigation. Consider excluding these environments if appropriate.
+
+### Response and remediation
+
+- Isolate affected systems if malicious activity is confirmed to prevent lateral movement.
+- Review the offense details to identify compromised accounts, credentials, or systems and take appropriate remediation steps.
+- Apply relevant security patches or updates to address any exploited vulnerabilities.
+- Escalate to the security operations center (SOC) or incident response team for further analysis if the threat appears significant.
+- Document the incident and update detection logic or exceptions based on findings.
+"""
+references = ["https://docs.elastic.co/en/integrations/ibm_qradar"]
+risk_score = 47
+rule_id = "d6702168-2be6-4d7d-a549-9bff67733df3"
+rule_name_override = "rule.name"
+setup = """## Setup
+
+### IBM QRadar Offense Integration
+This rule is designed to capture offense events generated by the IBM QRadar integration and promote them as Elastic detection alerts.
+
+To capture IBM QRadar offenses, install and configure the IBM QRadar integration to ingest offense records into the `logs-ibm_qradar.offense-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same QRadar events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:ibm_qradar.offense to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: IBM QRadar",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: ibm_qradar.offense
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "ibm_qradar.offense.magnitude"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"