IBM Support

QRadar: Response limiters and their impact

Question & Answer


How does the Response Limiter option work for custom rules in QRadar?


The response limiter limits the rule responses triggered by a rule in a set period of time. The limiter does not limit how many times a rule fires over its lifetime.

The response limiter can be used to avoid excessive responses triggering from a rule such as email notifications or reference set updates. In most cases, the property chosen for the response limiter is the same property used for the offense indexing.
In the following example, the indexed property is Username. The wizard is configured to dispatch a new event once every 30 minutes per rule when the username is the same. If the rule matches 300 times in a 30 minutes time span, only one event is dispatched. As seen in the screen capture, the response limiter affects only the Rule response. 
rule wizard

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 January 2023