How To
Summary
Sometimes when an administration filters based on a building block, no results are returned even though events or flows meet the test criteria. This article covers how to ensure building blocks are properly enabled.
Objective
This issue can appear when administrators use Quick Filters or AQL searches that utilize building blocks in the Log Activity tab. See the following example situation that uses a building block named Test2 that contains the following test:
Apply Test2 on events which are detected by the Local system
and when the event QID is one of the following (3503982) IP ip WebVPN session started.
and when the event(s) were detected by one or more of Cisco Adaptive Security Appliance (ASA)
When we apply the Test2 building block as our filter, no results are returned:
But when we apply the same tests that the building block uses, the search returns many events:
Why does the building block not return events?
The Custom Rule Engine (CRE) disables building blocks that are not referenced by another rule. Since the building block Test2 is not referenced by any rules, the CRE disables it, and it cannot be used as a search filter.
Steps
Before you start
Confirm that no existing rule is referencing your building block.
- Log in to the QRadar console as an admin user.
- Open the Offenses tab.
- Click Rules and then Display Rules.
- Type the name of your building block into the search bar to see whether rule references it.
Result
If no rules appear in the search, you have confirmed that the building block is not referenced by any rule and, thus, not enabled.
There are two options to enable the building block. You can add it to the User Load Basic Building Block rule or you can add it to a custom rule of your own.
Add the building block to the User Load Basic Building Blocks rule
If you do not want to reference the building block in one of your own rules, you can add it to the User Load Basic Building Blocks rule.
- Log in to the QRadar console as an admin user.
- Go to the Offenses page.
- Click Rules and then Display Rules.
- Type User Load Basic Building Blocks in the search bar.
- Edit the rule to add your building block.
Important: Modify only the rule called User Load Basic Building Blocks and leave Load Basic Building Blocks for native system rules.
- Enable the rule.
- Click Finish.
Result
By referencing the building block in a rule, it becomes enabled and can be used as a filter in the Log Activity tab.
Create a custom rule that references your building block
- Log in to the QRadar console as an admin user.
- Create a rule that references the building block. For this example, a rule called Test BB 1 is created that references the Test2 building block:
Apply Test BB 1 on events which are detected by the Local system and when an event matches any of the following Test2
Result
By referencing the building block in a rule, it becomes enabled and can be used as a filter in the Log Activity tab.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS013297583","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 June 2023
UID
ibm17005811