Custom rules

IBM® QRadar® includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. You can also create your own rules to detect unusual activity.

What are custom rules?

Customize default rules to detect unusual activity in your network.

Rule types

Each of the event, flow, common, and offense rule types test against incoming data from different sources in real time. There are multiple types of rule tests. Some check for simple properties from the data set. Other rule tests are more complicated. They track multiple, event, flow, and offense sequences over a period of time and use "counter" that is on one or more parameters before a rule response is triggered.

Event rules: Test against incoming log source data that is processed in real time by the QRadar Event Processor. You create an event rule to detect a single event or event sequences. For example, to monitor your network for unsuccessful login attempts, access multiple hosts, or a reconnaissance event followed by an exploit, you create an event rule. It is common for event rules to create offenses as a response.

Flow rules: Test against incoming flow data that is processed by the QRadar Flow Processor. You can create a flow rule to detect a single flow or flow sequences. It is common for flow rules to create offenses as a response.

Common rules: Test against event and flow data. For example, you can create a common rule to detect events and flows that have a specific source IP address. It is common for common rules to create offenses as a response.

Offense rules: Test the parameters of an offense to trigger more responses. For example, a response generates when an offense occurs during a specific date and time. An offense rule processes offenses only when changes are made to the offense. For example, when new events are added, or the system scheduled the offense for reassessment. It is common for offense rules to email a notification as a response.

Managing rules

You can create, edit, assign rules to groups, and delete groups of rules. By categorizing your rules or building blocks into groups, you can efficiently view and track your rules. For example, you can view all rules that are related to compliance.

Domain-specific rules

If a rule has a domain test, you can restrict that rule so that it is applied only to events that are happening within a specified domain. An event that has a domain tag that is different from the domain that is set on, the rule does not trigger a response.

To create a rule that tests conditions across the entire system, set the domain condition to Any Domain.

Rule conditions

Most rule tests evaluate a single condition, like the existence of an element in a reference data collection or testing a value against a property of an event. For complex comparisons, you can test event rules by building an Ariel Query Language (AQL) query with WHERE clause conditions. You can use all of the WHERE clause functions to write complex criteria that can eliminate the need to run numerous individual tests. For example, use an AQL WHERE clause to check whether inbound SSL or web traffic is being tracked on a reference set.

You can run tests on the property of an event, flow, or offense, such as source IP address, severity of event, or rate analysis.

With functions, you can use building blocks and other rules to create a multi-event, multi-flow, or multi-offense function. You can connect rules by using functions that support Boolean operators, such as OR and AND. For example, if you want to connect event rules, you can use when an event matches any|all of the following rules function.