You could attempt to revert the rule to it's default state, which would tell you if the changes you made caused some kind of issue. Optionally, you could delete the rule as well as well, but record or screen capture the rule so you can recreate it. You should also confirm the name of the rule that was failing. In the system notification, the rule ID and name are defined within the notification.
You'll also see an error posted to the logs with the information in /var/log/qradar.log:
[ecs-ep.ecs-ep] [31901c78-6444-4e05-a034-320610c649e3/SequentialEventDispatcher] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][IPADDRESS/- -] [-/- -]The Custom Rule ID is #124176, Rule Name is: New Recon: Aggressive Local L2R Scanner Detected: null
[ecs-ep.ecs-ep] [31901c78-6444-4e05-a034-320610c649e3/SequentialEventDispatcher] java.lang.NullPointerException
Confirm if any associated rules are missing or disabled. If no, then I would revert or delete and recreate the rule.
Reference information:
https://www.ibm.com/docs/en/qradar-on-cloud?topic=appliances-cre-failed-read-rules
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------
Original Message:
Sent: Fri October 22, 2021 05:02 PM
From: naeel mostafa
Subject: Can't read in rules/ ransomware test
hello everyone,
I'm working on a proof of concept and I'm using Qradar CE. today i wanted to run a ransomware(wannacry) test and see if qradar can detect it . I have installed the Endpoint content extension but I get the following error:
38750107 - The last attempt to read in rules (usually due to a rule change) has failed. Please see the message details and error log for information on how to resolve this.
can anyone help me here? and how can I run a ransomware test on qradar? thanks in advance
FYI, I ran the WannaCry on windows 8 but the qradar couldn't detect it.
------------------------------
naeel mostafa
------------------------------