Use case: Monitor policies for violations

IBM® QRadar® Risk Manager can continuously monitor any predefined or user-generated question in Policy Monitor. You can use monitor mode to generate events in QRadar Risk Manager.

When you select a question to be monitored, QRadar Risk Manager analyzes the question against your topology every hour to determine if an asset or rule change generates an unapproved result. If QRadar Risk Manager detects an unapproved result, an offense can be generated to alert you about a deviation in your defined policy. In monitor mode, QRadar Risk Manager can simultaneously monitor the results of 10 questions.

Question monitoring provides the following key features:
  • Monitor for rule or asset changes hourly for unapproved results.
  • Use your high and low-level event categories to categorize unapproved results.
  • Generating offenses, emails, syslog messages, or dashboard notifications on unapproved results.
  • Use event viewing, correlation, event reporting, custom rules, and dashboards in QRadar SIEM.