IBM Support

QRadar: Response limiter in rule wizard only limits the response instead of the rule

Question & Answer


Question

What is the Response Limiter?
The Response Limiter in QRadar is an important option for fine-tuning how custom rules can react to events.

What does the response limiter do?
The Response Limiter regulates the frequency with which a rule does its designated actions over a period. In essence, it places a cap on how many times the rule carries out its matching event response execution. The response limiter thus keeps your system from becoming overloaded with warnings in instances when events happen quickly.

What the response limiter does not do?

Doesn't Limit Rule Matching: Even with response limiter option active, the rule still evaluates every event that meets its defined criteria. It controls how the rule responds to those matching events.
Doesn't Prevent Offense Creation: If rule is set to automatically add matching events to offenses, the Response Limiter option does not stop this action. Offenses are created for each event that triggers the rule, regardless of the limiter settings.
Doesn't Affect Rule Actions on Individual Events: The limiter applies across a period, not to individual events. If multiple events trigger the rule within the period, the limiter might suppress some responses, but it does not prevent the rule from evaluating and potentially acting on each event.
 
Feature Affected By Response Limiter Option
Rule Matching NO
Offense Creation(if configured) NO
Custom Actions YES
Notifications YES
Why doesn't the Response Limiter prevent events from matching a custom rule?
Rather than focusing on whether the event meets the criteria of the rule, the response limiter analyses how the rule reacts to a matching event.
Email can be effectively limited with the response limiter feature. The response limiter helps keep the mailbox from being overloaded with messages from the same rule during times of high event activity. It aids in maintaining your attention on urgent alerts.
For instance, imagine a rule that triggers an email notification for every failed login attempt. With the Response Limiter, you can set a threshold, for example 10 emails per minute. Thus, you're alerted to the issue but avoids an overwhelming incoming surge of emails for individual failed attempts.
Optimizing Resource Usage: The Response Limiter also helps optimize resource usage. By limiting how often the rule runs custom scripts or writes log messages, you can prevent unnecessary strain on your system, especially during peak event periods.
However, response limiters have an impact if you use it to create offenses and want to change the name of the offense.
While the Response Limiter excels at managing rule actions like limiting emails, it can indirectly affect offense creation in a specific scenario:
Dynamic Offense Naming: If rule relies on custom logic within the "Ensure detected event is part of an offense" to dynamically generate the offense name based on event data, it might disrupt the process.
The issue is:
The Response Limiter controls the overall frequency of the rule's actions within a time frame. If offense creation with dynamic naming is one of the actions, the limiter might suppress some offense creations if the limit is reached. This can lead to missed offenses or inconsistencies in the offense naming scheme.

Alternative Approaches for Dynamic Offense Naming:
To circumvent this limitation and ensure proper offense creation with dynamic names, here are a couple of effective strategies:
Custom Rule with Dispatch New Event:
Configure your rule to use the "Dispatch New Event" action instead of relying on the "Ensure detected event is part of an offense" action.
Within the custom event definition, you can embed the logic for dynamically generating the offense name that uses event data.
This approach separates offense creation from the Response Limiter, ensuring that all relevant events contribute to offenses with the proper names.

Answer

By design, the Response Limiter only limits the items in the Rule Response section of the Rule Wizard:

Only the items in the red box are affected by Response Limiter

The custom rule still will match every event that matches the defined tests, and those matching events will be flagged as having matched the rule. 
However, after the threshold in the Response Limiter has been met, any of the response items will be suppressed until the Response Limiter time has expired.

There are some changes in rule response behaviour and match count behaviour that took place between 7.4.3 UP1 and and 7.5.0. UP5.

 Roughly the changes were:

7.4.3 FP1 - Response Limiters of stateless rules reset when all associated offenses closed for a particular rule index.

7.4.3 FP3 - Match count counters reset if associated offenses closed for a particular rule index

7.4.3 FP7/7.5.0 UP3 - Response Limiters for stateful and stateless rules reset when any associated offense closed for a particular rule index.

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"Rules;Offenses","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
09 July 2024

UID

ibm10719333

Page Feedback