IBM Support

QRadar: Response limiter in rule wizard only limits the response instead of the rule

Question & Answer


Why does the rule response limiter only limit the response and has no bearing on the rule action?


When Administrators use the Response Limiter, they assume that the Limiter is limiting the Rule from Firing based on the criteria configured in the Response limiter. What is really happening is that the response is being limited not the rule?  The Rule still fires as many times as the event matches the rule criteria. For example, you configured a rule to fire once per hour per rule. If the rule matches 300 times in that one-hour time span, only 1 response is sent. If you search to see how many times the rule matched in that hour you see 300 events.

The use of response limiters also affect emails, reducing the frequency that you receive an email notification. However, if you use Dispatch a New Event for offense creation and you want to manipulate the name of the offense then response limiters impact this.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Rules;Offenses","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
20 May 2021