QRadar rules

Rules perform tests on events, flows, or offenses. If all the conditions of a test are met, the rule generates a response.

IBM QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. For more information about rules, see the IBM QRadar Administration Guide.

The following list describes the two rule categories:
  • Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network.
  • Anomaly detection rules perform tests on the results of saved flow or event searches to detect when unusual traffic patterns occur in your network.
Important: A user with non-administrative access can create rules for areas of the network that they can access. You must have the appropriate role permissions to manage rules. For more information, see Custom rules in.