Topic
  • 4 replies
  • Latest Post - ‏2016-03-21T14:25:05Z by paulfh
i.kazolas
i.kazolas
53 Posts

Pinned topic Rule Response Limiter

‏2016-02-11T09:32:14Z |

Hi Team,

 

Do you know how does response limiter work ?

How does a rule work without Response Limiter?

 

Regards,

Ioannis

 

  • JamieWindley
    JamieWindley
    2 Posts

    Re: Rule Response Limiter

    ‏2016-02-17T16:40:18Z  

    I believe that without a Response Limiter in place, if circumstances which trigger the rule were to occur say 100 times in the space of 5 minutes, then the rule action would also occur 100 times over those 5 minutes. E.g., you would get 100 emails alerting that the rule had been triggered (if you configured the rule to email alert).

     

    However, if in the above scenario you had enabled a Response Limiter to respond no more than 1 time per 5 minutes, then you would only be notified once.

     

     

  • i.kazolas
    i.kazolas
    53 Posts

    Re: Rule Response Limiter

    ‏2016-02-25T10:08:41Z  

    I believe that without a Response Limiter in place, if circumstances which trigger the rule were to occur say 100 times in the space of 5 minutes, then the rule action would also occur 100 times over those 5 minutes. E.g., you would get 100 emails alerting that the rule had been triggered (if you configured the rule to email alert).

     

    However, if in the above scenario you had enabled a Response Limiter to respond no more than 1 time per 5 minutes, then you would only be notified once.

     

     

    Hi Jamie ,

     

    Thanks for the information and prompt reply.

    What about the response limiter of a Rule which is not based an event ?

     

    Example

    Rule : when the event(s) have not been detected by one or more of (Group) for X ( seconds ) .

     

     

    Thank you,

    Ioannis

     

  • JamieWindley
    JamieWindley
    2 Posts

    Re: Rule Response Limiter

    ‏2016-02-25T10:24:01Z  
    • i.kazolas
    • ‏2016-02-25T10:08:41Z

    Hi Jamie ,

     

    Thanks for the information and prompt reply.

    What about the response limiter of a Rule which is not based an event ?

     

    Example

    Rule : when the event(s) have not been detected by one or more of (Group) for X ( seconds ) .

     

     

    Thank you,

    Ioannis

     

    Hi Ioannis,

    I believe the same logic applies here. The rule response limiter simply limits the number of triggers of that rule. So, in your example

     

    Rule : when the event(s) have not been detected by one or more of (Group) for X ( seconds ) .

     

    If the above rule were to trigger 5 times in the space of 30 minutes, but you have set up your rule limiter to 1 per 30 minutes, then the result of this would be to only trigger the rule response once instead of five times.


    Thanks

    Jamie
     

  • paulfh
    paulfh
    1 Post

    Re: Rule Response Limiter

    ‏2016-03-21T14:25:05Z  

    I'd like to clarify the answer in this thread:

     

    Specifically, Rule Actions vs Rule Responses and the interaction with the Rule Response Limiter

     

    A rule has Actions and Responses.  Actions only act on internal QRadar information and include:

    - Modify Severity/Credibility/Relevance

    - Ensure the detected event is part of an offense

    - Annotate event

    - Drop the detected event

    Rule Actions are not affected by the Rule Response Limiter.

     

    Responses can also send information to external (and internal) systems.  Rule Responses are affected by the Rule Response Limiter.

     

    Also note that 7.2.6 has an 'index' on the Rule Response Limiter.  So the issue of the 'special' test "when the event(s) have not been detected by one or more of (Group) for X ( seconds )" will depend on the setting for the index of the Limiter.

     

    Paul