IBM Support

QRadar: Rule not matched, even though all rule conditions are met.

Troubleshooting


Problem

A Rule is not matched, even though all the Rule conditions are met.

Cause

One possible cause of this would be there are false-positive conditions in place, matching criteria within the Rule experiencing the issue. The other we have seen as of late, are stacked conditionals similar to "match at least X times with the same Y in Z minutes" is leveraged

Diagnosing The Problem


In the case of the false positive conditions, there are a few ways to isolate the matching and partially matching rules for an event or flow:

  1. Run a search to find the Events or Flows that would match the rule experiencing the issue. Do not use Search Parameters that begin with the phrase Custom Rule, and a Value equal to the rule that is experiencing the issue.
  2. Double-click one of the search results that match the rules conditions. This opens a new window, displaying the details of the item you Double-clicked.
  3. In the newly opened window, scroll down to the Additional Information heading, and view the Custom Rules listed. If you see FalsePositive: False Positive Rules and Building Blocks listed, then this would be the cause of the rule not matching:




Another possibility concerns the conditionals that are chosen and how they possibly interact with each other. For instance, take the following Rule as an example:





In the case above, the Rule would read as follows:
  1. Test for the first conditional, and wait until there are at least 5 Username matches from the BB within 5 minutes
  2. Once the first conditional is met, the second conditional waits will at least 5 Source IPs match from the BB within 5 minutes, not connected to the first conditional test

The original intent of the Rule was to combine both the Username and IP. What we see above is that this Rule either may never test the second conditional or the firing of the Rule is not as intended.

To address this problem, one would consider the following change:




This way, you are combining the same Username and Source IP to the same key pair, rather than finding 5 by Username and then 5 completely different Source IP's.

Resolving The Problem

Review the Custom Rules that are listed from the steps above, and determine what criteria in the Rule that is experiencing the issue, is contained in any of the false-positive Building Blocks or Rule listed. Make an exception in the false-positive Building Block or Rule that contains criteria from the Rule experiencing the issue.


Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Historical Number

2361

Document Information

Modified date:
16 June 2018

UID

swg21622847