IBM Support

QRadar: What is the precedent in routing rules options

Question & Answer


Question

What is the precedent in routing rules options?

Answer

Routing rule is a feature that allows the user to enact different actions on events. To access the routing rules menu, follow these steps:
  1. On the navigation menu, click Admin
    admin
  2. In the System Configuration section, click Routing Rules
    routingrule
To learn more about how to create routing rules, read the following article:
Configuring routing rules to forward data
Routing rule have 4 options of action to use on events:
options
To learn more about each option and the possible combination, read the following article:
Routing rule options have a hierarchy in which rules with higher priority overwrite other rules that target the same events. The precedence is, from highest to lowest priority, as follows:
  1. Forward + Bypass Correlation: Data is forwarded to the specified forwarding destination. Data is also stored in the database, but it is not processed by the Custom Rules Engine (CRE).
  2. Forward + Log Only: Events are forwarded to the specified forwarding destination. Events are stored and flagged in the local QRadar database as Log Only and Custom Rules Engine (CRE) is bypassed.
  3. Forward: Data is forwarded to the specified forwarding destination. Data is also stored in the database and processed by the Custom Rules Engine (CRE).
  4. Forward + Drop: Data is forwarded to the specified forwarding destination. Data is not stored in the database and is not processed by the Custom Rules Engine (CRE).
  5. Bypass Correlation: Data bypasses Custom Rules Engine (CRE), but it is stored in the database.
  6. Log Only: Events are stored and flagged in the database as Log Only and bypass Custom Rules Engine (CRE). These events are not available for historical correlation, and are credited back 100% to the license.
  7. Drop: The data is not stored in the database and is not processed by the Custom Rules Engine (CRE). Any events that are dropped are credited back 100% to the license.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 September 2022

UID

ibm16618809