Question & Answer
Question
What are Rules of Type "Lack Of Event" and how does the timer task work in these instances?
Cause
The timer task is set to fire after the configured timeout value plus up to a maximum of 4 minutes and is working as designed.
Answer
Before you begin:
The time task mentioned in this article resets whenever the rule triggers. The time reset works globally and can affect other rule test for the same log source over a longer timeframe.
The time task mentioned in this article resets whenever the rule triggers. The time reset works globally and can affect other rule test for the same log source over a longer timeframe.
Rules that are of Type "Lack Of Event" such as the "Device stopped sending" are rules that have a timer task that is associated to them. As designed when these rules do not see an event for the time that is specified in the rule, they trigger a delayed response. The rule response is based on a timeout calculation. Depending on the value entered "for this many seconds" in the rule test, there could be an extra 4-minutes delay for the rule response to fire an Offense. The same behavior occurs for "Lack Of Event" type rules that use either Log Source Types or Log Source Groups.
An Example of one of these rules.
- Log in to the QRadar User Interface.
- Click Offense tab > Rules.
- Click Actions > New Event Rule.
- Choose from the list a rule similar to When one or more events have not been detected by one or more of these Log Sources for this Many Seconds.
- Check Dispatch New Event and add a description.
- Add from the drop-down menu a High-level and Low-level Category.
- Click Ensure the dispatched event is part of an Offense.
- Click the Email box.
- Clear the Response Limiter check box.
Results: In this example, an Offense is triggered 4 minutes after the conditions of the rule are met.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.3;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
13 September 2022
UID
swg22013316