IBM® QRadar® includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.
What are custom rules?
Customize default rules to detect unusual activity in your network.
- Event rules
- Test against incoming log source data that is processed in real time by the QRadar Event Processor. You create an event rule to detect a single event or event sequences. For example, to monitor your network for unsuccessful login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you create an event rule. It is common for event rules to create offenses as a response.
- Flow rules
- Test against incoming flow data that is processed by the QRadar Flow Processor. You can create a flow rule to detect a single flow or flow sequences. It is common for flow rules to create offenses as a response.
- Common rules
- Test against event and flow data. For example, you can create a common rule to detect events and flows that have a specific source IP address. It is common for common rules to create offenses as a response.
- Offense rules
- Test the parameters of an offense to trigger more responses. For example, a response generates when an offense occurs during a specific date and time. An offense rule processes offenses only when changes are made to the offense. For example, when new events are added, or the system scheduled the offense for reassessment. It is common for offense rules to email a notification as a response.
You can create, edit, assign rules to groups, and delete groups of rules. By categorizing your rules or building blocks into groups, you can efficiently view and track your rules. For example, you can view all rules that are related to compliance.
If a rule has a domain test, you can restrict that rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on, the rule does not trigger a response.
To create a rule that tests conditions across the entire system, set the domain condition to Any Domain.
Most rule tests evaluate a single condition, like the existence of an element in a reference data collection or testing a value against a property of an event. For complex comparisons, you can test event rules by building an Ariel Query Language (AQL) query with WHERE clause conditions. You can use all of the WHERE clause functions to write complex criteria that can eliminate the need to run numerous individual tests. For example, use an AQL WHERE clause to check whether inbound SSL or web traffic is being tracked on a reference set.
You can run tests on the property of an event, flow, or offense, such as source IP address, severity of event, or rate analysis.
With functions, you can use building blocks and other rules to create a multi-event, multi-flow, or multi-offense function. You can connect rules by using functions that support Boolean operators, such as OR and AND. For example, if you want to connect event rules, you can use when an event matches any|all of the following rules function.