Adding, editing, and deleting reference sets

Use a reference set to compare a property value, such as an IP address or user name, against a list. You can use reference sets with rules to keep watch lists. For example, you can create a rule to detect when an employee accesses a prohibited website and then add that employee's IP address to a reference set.

About this task

After you add data to the reference set, the Number of Elements and Associated Rules parameters are automatically updated.

When you edit a reference set, you can change the data values, but you can't change the type of data that the reference set contains.

Before a reference set is deleted, QRadar® runs a dependency check to see whether the reference set has rules that are associated with it.

Note: If you use techniques to obfuscate data on the event properties that you want to compare to the reference set data, use an alphanumeric reference set and add the obfuscated data values.


  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Reference Set Management.
  3. To add a reference set:
    1. Click Add and configure the parameters.
      Learn more about reference set parameters:

      The following table describes each of the parameters that are used to configure a reference set.

      Table 1. Reference Set parameters
      Parameter Description
      Name The maximum length of the reference set name is 255 characters.

      Select the data types for the reference elements. You can't edit the Type parameter after you create a reference set.

      The IP type stores IPv4 addresses. The Alphanumeric (Ignore Case) type automatically changes any alphanumeric value to lowercase.

      To compare obfuscated event and flow properties to the reference data, you must use an alphanumeric reference set.

      Time to Live of elements

      Specifies when reference elements expire. If you select the Lives Forever default setting, the reference elements don’t expire.

      If you specify an amount of time, indicate whether the time-to-live interval is based on when the data was first seen, or was last seen.

      QRadar removes expired elements from the reference set periodically (by default, every 5 minutes).

      When elements expire

      Specifies how expired reference elements are logged in the qradar.log file when they are removed from the reference set.

      The Log each element in a separate log entry option triggers an Expired ReferenceData element log event for each reference element that is removed. The event contains the reference set name and the element value.

      The Log elements in one log entry option triggers one Expired ReferenceData element log event for all reference elements that are removed at the same time. The event contains the reference set name and the element values.

      The Do not log elements option does not trigger a log event for removed reference elements.

    2. Click Create.
  4. Click Edit or Delete to work with existing reference sets.
    Tip: To delete multiple reference sets, use the Quick Search text box to search for the reference sets that you want to delete, and then click Delete Listed.