QRadar: Default Rules with action "none" are being displayed in the 'Rules list'

Troubleshooting

Problem

When Selecting the 'Configuration Monitor', then 'Rules list' for a device, it will display 'Default' rules with Action 'NONE'.

Cause

These entries do not have any impact on any other functionality and can be ignored. The Default Rules are used internally to notify if no match is found with a filter list and then move onto the next list from the Standard Element Document (SED).

Resolving The Problem

These default rules are used by core to say "if no match is found with this filter list move on to the next list in the SED". This should not be confused with the default action for any packet which does not match any rules and would usually be an "accept" or "deny".

Results: This is expected behaviour and no action is required.

Where do you find more information?

[{"Product":{"code":"SSBQQU","label":"IBM Security QRadar Risk Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Configuration Monitor","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Default Rules with action "none" are being displayed in the 'Rules list'

Troubleshooting

Problem

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?