IBM Support

QRadar: Triggering an Offense for Device Has Stopped Emitting Events

How To


Summary

The QRadar Custom Rule Engine has a test:

and when events have not been detected by <LogSource(s)> for <time>

to monitor Log Source(s) that have stopped sending events for a set period of time. This test is unique in so far as it looks for a "lack of events" rather than testing the properties of one or more correlated events in the QRadar pipeline.

As a result there are no matching events that an Offense can use to extract an Index value or other properties from. The intended design of QRadar was for this kind of rule to create a Custom Rule Engine event "Device Has Stopped Emitting Events" with QID 38750074 to notify an administrator to perform restorative action on the log source so event ingestion could resume.

However some users in the field have wanted an Offense to be triggered for this kind of occurrence, this technote outlines the best steps to accomplish that use case.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSV4BL","label":"IBM QRadar"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Product":{"code":"SSTZMA","label":"QRadar Appliance Hardware"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
11 April 2025

UID

ibm17230713

Page Feedback