Rules, sometimes called correlation rules are applied to events, flows, or offenses to search for or detect anomalies. If all the conditions of a test are met, the rule generates response.

What are rules?

Custom rules test events, flow, and offenses to detect unusual activity in your network. You create new rules by using AND and OR combinations of existing rule tests. Anomaly detection rules test the results of saved flow or events searches to detect when unusual traffic patterns occur in your network. Anomaly detection rules require a saved search that is grouped around a common parameter.

What are building blocks?

A building block is a collection of tests that don't result in a response or an action.

A building block groups commonly used tests to build complex logic so that it can be reused in rules. A building block often tests for IP addresses, privileged user names, or collections of event names. For example, a building block can include the IP addresses of all DNS servers. Rules can then use this building block.

QRadar® has default rules and you can also download more rules from the IBM® Security App Exchange to create new rules.

How do rules work?

QRadar Event Collectors gather events from local and remote sources, normalize these events, and classify them into low-level and high-level categories. For flows, QRadar QFlow Collectors read packets from the wire or receive flows from other devices and then converts the network data to flow records. Each Event Processor processes events or flow data from the QRadar Event Collectors. Flow Processors examine and correlate the information to indicate behavioral changes or policy violations. The custom rules engine (CRE) processes events and compares them against defined rules to search for anomalies. When a rule condition is met, the Event Processor generates an action that is defined in the rule response. The CRE tracks the systems that are involved in incidents, contributes events to offenses, and generates notifications.

How is an offense created from a rule?

QRadar creates an offense when events, flows, or both meet the test criteria that is specified in the rules.

QRadar analyzes the following information:
  • Incoming events and flows
  • Asset information
  • Known vulnerabilities

The rule that created the offense determines the offense type.

The magistrate prioritizes the offenses and assigns the magnitude value based on several factors, including number of events, severity, relevance, and credibility.

Note: Building blocks are tested before rules are tested.

For example, you have a building block that is defined to trigger an offense on high magnitude events. The log activity can show that there were high magnitude events, but no offense was triggered. This can happen because when the building block was tested, the events was not at high magnitude. The magnitude of the event did not increase until the rules were tested.

One solution is to set a rule to check for the different in Severity, Credibility, and Relevance rather than to use a building block.