Create Custom Rules
Out-of-the-box rules are great, but organizations often need:
- Detection tailored to their environment (specific applications, servers, or log sources).
- Use cases aligned to compliance frameworks (PCI-DSS, HIPAA, ISO).
- Rules for new and emerging threats.
Custom rules allow you to fine-tune QRadar to your organization’s threat landscape.
Types of QRadar Rules:
Before creating one, it’s good to know the two major categories:
- Event Rules – Triggered based on log/event data (e.g., detecting failed login attempts).
- Flow Rules – Triggered by network traffic patterns (e.g., unusual outbound traffic).
Rules can then generate offenses when conditions are met, which analysts can investigate in the QRadar console.
Step-by-Step: Creating a Custom Rule
1. Navigate to the Rule Wizard
In the QRadar console, go to Offenses → Rules → Actions → New Event Rule (or Flow Rule).
Select Rule Wizard for a guided creation experience.
2. Define the Rule Conditions
Start by selecting when the rule should trigger.
- Example: “when the event(s) were detected by the log source [Windows Server] and the event name equals ‘Failed Login’”.
You can add AND/OR conditions for more precision.
3. Add Test Logic
- Use building blocks (predefined conditions like “authentication failure” or “port scanning”).
- Combine multiple tests for more advanced detection.
4. Configure Rule Responses
Decide what QRadar should do when the rule matches:
- Create an offense
- Add a custom log message
- Send an email notification
- Trigger integration actions
5. Save & Deploy
- Save the rule and deploy changes so QRadar applies it.
#IBMChampion