IBM Support

QRadar: Rules with partial match

Question & Answer


How do partially matched rules with functions work?


Rules that use function tests, like counter and timer functions, are more complicated and require more processing resources. When you use a function that has a counter over time method, such as x events over y time period, this rule matches a single event for whatever your indexing on the rule. It starts tracking that rule for that specific key. The multiple properties then create a unique key in memory for tracking, such as each username and IP address pair. Then is tracked over the time window specified in the function timer.

Each unique username and IP address pair would create a separate tracked pending offense object in the CRE memory space. Events that are partial matches to these function based rules are tagged with the rule in their partial match field, which can then be searched on. Once the number of events is matched within the timer, the rule/response section is then fired.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar->Rules"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 April 2020