IBM Support

QRadar: An Example of How an Anomaly Rule Triggers Over Time

Question & Answer


How do I know when an anomaly rule will trigger when testing against a value, such as an event count?


Let's consider an anomaly rule that uses a test:

"when the average value (per interval) of Event Count(Sum) over the last 1 min is at least 50% different from the average value (per interval) of the same property over the last 5 mins."

For any anomaly rule, if the base value is zero, then it will not trigger. For example, if the base value increases from 0 to 50 counts, it will not trigger. However, if the base value changes from 50 to 100, or from 1 to 51, it will trigger.

Also, it will get triggered if the base value changes from 50 to 0 as the percentage value can be +50% or -50% from the expected value. Since in the above example. we are taking the average value for the last 5 minutes, the anomaly rule would be firing for the next 4 minutes till the average value goes down. For example, if there are 50 events coming for last 10 minutes after which the events stop, the average value will keep on dropping based on which the rule will get triggered as per the following table:

Average count for last 5 minutes
Percentage of threshold
1st Minute
100 %
Anomaly rule will trigger
2nd Minute
80 %
Anomaly rule will trigger
3rd Minute
70 %
Anomaly rule will trigger
4th minute
60 %
Anomaly rule will trigger
5th Minute
50 %
Rule does not trigger


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym


Document Information

Modified date:
01 April 2020