Create Custom Rules:
Out-of-the-box rules are great, but organizations often need:
Detection tailored to their environment (specific applications, servers, or log sources).
Use cases aligned to compliance frameworks (PCI-DSS, HIPAA, ISO).
Rules for new and emerging threats.
Custom rules allow you to fine-tune QRadar to your organization’s threat landscape.
Types of QRadar Rules:
Before creating one, it’s good to know the two major categories:
Event Rules – Triggered based on log/event data (e.g., detecting failed login attempts).
Flow Rules – Triggered by network traffic patterns (e.g., unusual outbound traffic).
Rules can then generate offences when conditions are met, which analysts can investigate in the QRadar console.
Step-by-Step: Creating a Custom Rule
1. Navigate to the Rule Wizard
In the QRadar console, go to Offences → Rules → Actions → New Event Rule (or Flow Rule).
Select Rule Wizard for a guided creation experience.
2. Define the Rule Conditions
Start by selecting when the rule should trigger.
Example: “when the event(s) were detected by the log source [Windows Server] and the event name equals ‘Failed Login’”.
You can add AND/OR conditions for more precision.
3. Add Test Logic
Use building blocks (predefined conditions like “authentication failure” or “port scanning”).
Combine multiple tests for more advanced detection.
4. Configure Rule Responses
Decide what QRadar should do when the rule matches:
Create an offence
Add a custom log message
Send an email notification
Trigger integration actions
5. Save & Deploy
Save the rule and deploy changes so QRadar applies it.
#IBMChampion