You can tune false positive events and flows to prevent them from creating
offenses.
Before you begin
To create a new rule, you must have the permission for creating customized rules to tune false positives. For more
information about roles and permissions, see the IBM
QRadar User Guide.
Procedure
-
Click the Log Activity tab, or the Network
Activity tab.
-
Select the event or flow that you want to tune.
-
Click False Positive.
Note: If you are viewing events or flows in streaming mode, you must pause streaming before you
click False Positive.
-
Select one of the following Event or Flow
Property options:
- Event/Flow(s) with a specific QID of <Event>
- Any Event/Flow(s) with a low-level category of <Event>
- Any Event/Flow(s) with a high-level category of <Event>
-
Select one of the following Traffic Direction options:
- <Source IP Address> to <Destination IP
Address>
- <Source IP Address> to Any Destination
- Any Source to <Destination IP Address>
- Any Source to any Destination
-
Click Tune.
QRadar prevents you from
selecting Any Events/Flow(s) and Any Source To Any
Destination. This change creates a custom rule and prevents QRadar from creating offenses.
For more information about tuning false positives, see the IBM
QRadar User Guide.