Creating a historical correlation profile

You create a historical correlation profile to rerun past events and flows through the custom rules engine (CRE). The profile includes information about the data set and the rules to use during the run.

Restriction: You can create historical profiles only in IBM QRadar SIEM. You cannot create historical profiles in IBM QRadar Log Manager.

Before you begin

Common rules test data in both events and flows. You must have permission to view both events and flows before you can add common rules to the profile. When a profile is edited by a user who doesn't have permission to view both events and flows, the common rules are automatically removed from the profile.

About this task

You can configure a profile to correlate by either start time or device time. Start time is the time when the events arrive at the event collector. Device time is the time that the event occurred on the device. Events can be correlated by start time or device time. Flows can be correlated by start time only.

You can include disabled rules in the profile. Rules that are disabled are indicated in the rules list with (Disabled) after the rule name.

A historical correlation run does not contribute to a real-time offense, nor does it contribute to an offense that was created from an earlier historical correlation run, even when the same profile is used.

Attention: If you create too many historical correlation profiles that have many rules that are assigned to them, your offenses can be slow to load. If your offenses are slow to load, you can either delete unneeded profiles or edit them to have fewer rules.

Procedure

  1. Open the Historical Correlation dialog box.
    • On the Log Activity tab, click Actions > Historical Correlation.
    • On the Network Activity tab, click Actions > Historical Correlation.
    • On the Offenses tab, click Rules > Actions > Historical Correlation.
  2. Click Add and select Event Profile or Flow Profile.
  3. Type a name for the profile and select a saved search.
    You can use only non-aggregated saved searches.
  4. On the Rules tab, select the rules to be run against the historical data, and choose the correlation time.

    If you select the Use all enabled rules check box, you cannot include disabled rules in the profile. If you want to include both enabled and disabled rules in the profile, you must select them individually from the rules list and click Add Selected.

  5. On the Schedule tab, enter the time range for the saved search and set the profile schedule settings.
  6. On the Summary tab, review the configuration and choose whether to run the profile immediately.
  7. Click Save.

    The profile is put into a queue to be processed. Queued profiles that are based on a schedule take priority over manual runs.