IBM Support

QRadar: Rule response limiter not working after I close a related offense

Question & Answer


Question

When an event triggers a rule that creates offenses that are indexed with its responses limited on the same field, this rule creates multiple offenses. When one of these offenses is closed, all rules refire the response on the next matching offense, regardless of the response limiter. This article explains why the response limiter is ignored in this situation.

Cause

Only the indexed offense item closed has its response limiter reset.

Answer

A limiter does not belong to an offense but to its rule. All rules chains related to an offense are reset when that offense is closed, so closing the offense resets all functions, limiters, and timers related to any of those rules. The following example illustrates this behavior:

You have rules A and B.
Events come in that trigger rules A and B to create the respective offenses A1 and B2.
You close offense A1, thus resetting all rule chains related to rule A.
When an event that triggers rule A comes in, QRadar dispatches a new event and creates a new offense for A.
When an event that triggers rule B comes in, QRadar dispatches a new event and adds the event to offense B2. This counts toward B's response limiter.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
10 January 2023

UID

ibm16852637

Page Feedback