How To
Summary
This article explains how to create a routing rule to drop events that the user does not want store in QRadar®.
Objective
This guide can be used by both QRadar and QRadar on Cloud users. The guide shows how to create a routing rule to drop unwanted events. The dropped events are not stored in the database. Any events that are dropped are credited back 100% to the license. For more information, read the following article QRadar: License EPS rates and giveback.
Important: Routing rules that uses the "
Drop" option alone are overruled by all other option of routing rule that target the same specific event. This situation can cause that the specific event is not drop as wanted.Steps
- Log in as an administrator to QRadar.
- Click the Admin tab on the console.
- Click the Routing Rules icon.
- On the toolbar, click Add.
- In the new routing rule window, enter the following values for the event you want to drop:
- Name: A name that explains what the rule is about.
- Description: Add more context to the rule.
- Mode: Online, the Drop option is only available for Online mode.
- Data Source: Events.
- Event Filter: Select Event ID, Equals any of, and add the Event ID.
- Routing Options: Drop.
When you finish adding the information, click the Save button.
- If prompt, click Deploy Changes button.
Results
After the deployment completes, the change is applied to all appliances. If you experience issues with routing rules or errors in the user interface, contact QRadar Support.Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 August 2022
UID
ibm16614833