Question & Answer
Question
How to can I receive alerts if a log source stops receiving events?
Answer
The standard Device Stopped Sending Events rule that is included by default with QRadar can send an alert when a device stops sending events. This rule can be configured with one or more Log Sources along with the time interval when the log source stops receiving events. By default this interval is set to 3600 seconds.
- Log in to the QRadar UI.
- Click the Offenses tab.
- Click Rules.
- From the Group drop-down menu, select System.
- Select the Rule Name Device Stopped Sending Events.
- Select Actions > Duplicate.
- Enter a name for the new rule.
- Click OK.
- Double-click the new rule to configure it.
- In the Rule Wizard, click these devices and select one or more log sources you want to receive alerts on.
- Add the devices and click Submit.
- Select 3600 to configure the threshold for when to generate an alert, the default is 3600 seconds.
- Click Next.
- Select Email and type the email address to send the notification when the event is triggered.
Note: If you are using multiple email addresses, use a comma between each email address.
- Click Next.
- From the Rule Response, configure the frequency in which you want this rule to respond.
- Select Enable Rule.
- Configure the Response Limiter.
- Click Next to review the rule configuration.
- Click Finish.
Results
You configured a Rule to Alert you when a Log Source stops sending events for an interval
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 November 2022
UID
swg21981697