Tuning the active rules that generate CRE events
The Custom Rules Engine (CRE) event report shows which active rules generate CRE events. In many cases, a rule response is configured to generate CRE events, along with the offense or without it. The report shows which CRE events were generated most by which rule. In general, if the event is generated many times per day, the rule is firing too often. Consider tuning the rule. For example, 1 or 2 Source IPs in the report are related to all the CRE events generated by the rule. The Source IP might need to be added to one of Host Definition BBs that are referenced by the rule. Select the rule and click Investigate to see which Host Definition to update.
About this task
You can also use this report to test the rules. In this case, the rule response does not include the offense creation, only the CRE event dispatch. If the report shows that the rule is firing too often, consider tuning it. If you're using CRE events to test the rule, and the number of generated CRE events is only a few per week, change the rule response to generate an offense.
Unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker colored background.
- From the main menu, click CRE Report.
- Filter the rules according to the calendar or by timeframe. The default date is in the last three days. Change the timeframe, or choose to filter the rules that began to contribute to offenses between specific dates and times.
- Select the number of results to return, and click Apply Filters.
- Review the CRE events by rule and the CRE events by
category and rule reports.
- Hover over the chart segments to see more details about an offense.
- Hide or show chart legends.
- Click the legend keys in the CRE events by rule report to fine-tune the chart display.
- Zoom in for further investigation.
- Expand the CRE events by category and rule chart to full screen.
- Export the CRE events by category and rule chart to CSV, PNG, or JPG formats.
- View the CRE events by category and rule chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
Tune the rules by choosing from the following methods:
- Toggle between the topmost noisy rules or all the rules from the list.
- Add another rule to investigate by selecting a group of rule or an individual rule from the list.
- Click Investigate.
- Review each individual rule and the BBs that contribute to the CRE event. For each rule, you can further investigate it by clicking Show dependency tree or Edit in rule wizard.
- Use the visualization diagram to further fine-tune any related options for the rule or building block, such as log source types, custom properties, or reference sets.
- Review the events that are generated by the current rule you selected.
- To instantly refresh the rules from QRadar®, click the Refresh icon. Otherwise, the app automatically updates data from the Console every 15 minutes.
- Review the threshold values in the tests, and tune if necessary.
- Review the values in the various groups of tests, and tune if necessary.
- Review the MITRE ATT&CK mappings for the rule, and edit if necessary.
- To add custom rule attributes to the selected rule or building block, see step 9 in Investigating QRadar rules and building blocks.
- To investigate QRadar User Behavior Analytics rules, see Investigating user behavior analytics rules.
- To return to the CRE events page, click CRE Report in the breadcrumbs.
- To export selected rule data in the report to CSV format to process or view in Excel, select the relevant checkboxes and then click Export.