IBM Support

QRadar: How to create a routing rule to drop unwanted events

How To


Summary

This article explains how to create a routing rule to drop events that the user does not want stored in QRadar.

Objective

Dropped events are not stored in the database, and any events that are dropped are credited back to the license. For more information, see the following article: QRadar: License EPS rates and giveback.
Important: Routing rules are applied after events parse in the event pipeline. Your hardware must be scaled to accommodate the raw incoming event rate as license giveback occurs later on in the event pipeline. License give back does not reduce the hardware requirements, as give back adds to the existing license. For example, hardware limited to 10000 EPS cannot accept 12000 EPS even when 2000 events are dropped and given back by the routing rule as the rate exceeds the system's hardware capacity.
Note: Routing rules that uses the "Drop" option are overruled by all other options of routing rules that target the same specific event. If the drop rule is overruled, the event is not dropped. For more information, see QRadar: What is the precedence order for routing rules.

Environment

QRadar and QRadar on Cloud users.

Steps

  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Click the Routing Rules icon.
    image-20230725144932-3
  4. On the toolbar, click Add.
    image-20230725144816-2
  5. In the new routing rule window, enter the following values for the event you want to drop:
    • Name: A name that explains what the rule is about.
    • Description: Add more context to the rule.
    • Mode: Online, the Drop option is only available for Online mode.
    • Data Source: Events.
    • Event Filter: Select Event ID, Equals any of, and add the Event ID.
    • Routing Options: Drop.
      info
  6. Click Save.
  7. If prompted, click Deploy Changes.
    image-20230725145007-4

    Result
    After the deployment completes, the change is applied to all appliances. If you experience issues with routing rules or errors in the user interface, contact QRadar Support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 July 2023

UID

ibm16614833

Page Feedback