IBM Support

QRadar: Why is the Add Anomaly Rule option greyed out in the Log Activity section

Question & Answer


Why is the Add Anomaly Rule option greyed out in the Log Activity section?


The Add Anomaly Rule option in greyed out in the figure above. This is because Anomaly Rules require a Saved Search that defines the anomaly before the rule can be created.

Once a Saved Search has been defined the Add Anomaly Rule button will not be greyed out. To Create an Anomaly Rule.

  1. Create a Search or use a predefined Search from Saved Searches.
  2. If the search is not saved click Save Criteria and add to your list of Searches.
  3. Re-run the Search.
  4. From the Menu Bar click Rules > Add Anomaly Rule. The Rule Wizard will open.

  5. Click Next and add Your Rule Response.
  6. Click Finish.

Your Anomaly Rule is now complete.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020