IBM Support

QRadar: How do the "event(s) have not been detected" custom rule tests work?

Question & Answer


Question

Please explain the functionality and nuances of the custom rule tests that look for the lack of events from specific log sources.

Answer

The three tests that use this logic are:
  • when the event(s) have not been detected by one or more of these log source types for this many seconds
  • when the event(s) have not been detected by one or more of these log sources for this many seconds
  • when the event(s) have not been detected by one or more of these log source groups for this many seconds

These tests are monitoring the absence of events associated with the specified log source(s). They are not activated by an incoming event, but rather when an event is not seen in a specific interval.
The rule is triggered when the difference between the event last seen time and the current time exceeds the number of seconds that is configured in the rule, this means that these rules can only run on a timer.
Note: There is a maximum limit of 10 minutes (600 seconds) for this timer.

These tests are only executed in the custom rule engine on the Console, so the "global" and "local" designations do not apply.

Since the tests are not executed against individual events, these rules will not contribute to performance degradation at the custom rule engine.

The tests use the timestamp_last_seen value from the sensordevice table to determine whether the test should fire.
Note: These values are updated by the ecs-ec services throughout the deployment and are not dependent on the events reaching ecs-ep or being stored in ariel. This means that interruptions in the events pipeline after ecs-ec (such as the connection between ecs-ec and ecs-ep) will not trigger these tests.
The tests trigger a unique action which is the generation of a new event with the QID 38750074 (category System.Service Disruption) containing the log source ID of the log source that stopped generating events:
“Log source source name (source IP) has stopped emitting events”.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
21 May 2024

UID

ibm17150379