IBM Support

QRadar: Event matching multiple routing rules

Question & Answer


Question

How is an event processed if it matches more than one routing rule?

Answer

A routing rule can have a combination of these four routing options:
  1. Forward
  2. Drop
  3. Bypass Correlation
  4. Log Only (Exclude Analytics)
image 8128
The Drop, Bypass Correlation, and Log Only (Exclude Analytics) options are mutually exclusive in the sense that only one of them can be chosen at a time. So, the following combinations can be used when setting up the routing options:
  • Forward
  • Forward + Log Only (Exclude Analytics)
  • Forward + Bypass Correlation
  • Forward + Drop
  • Log Only (Exclude Analytics)
  • Bypass Correlation
  • Drop
Based on the impact they have, routing option combinations are ordered as follows (with Forward having the least impact and Drop having the highest impact considering it will cause the event to be lost):
  1. Forward
  2. Forward + Log Only (Exclude Analytics)
  3. Forward + Bypass Correlation
  4. Forward + Drop
  5. Log Only (Exclude Analytics)
  6. Bypass Correlation
  7. Drop
If an event matches multiple routing rules, the least impactful routing option is applied.
Example 1: Consider an event that matches two routing rules:
(A) a rule that is configured to Drop that event and
(B) a rule for that event to Bypass Correlation
In the given situation, the event is not dropped. Instead, it bypasses correlation and is stored in the database because Bypass Correlation has a lesser impact than Drop.
Example 2: Consider an event that matches two routing rules:

(A) a rule that is configured to Forward + Drop that event and
(B) a rule for that event to Bypass Correlation

In this case, the event is forwarded and dropped. It will not be made to bypass correlation.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
04 February 2021

UID

ibm16406620