IBM QRadar

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?

We are writing a machine learning app to do it.  The built in anomaly stuff is pretty good for thresholds and stuff like that.  The best one to use is the Behavioral rule, but you have to have the query perfect and the importance values.  I have actually read some of the math involved, Gladys Koscas shared when she was at IBM.  I don't have the links available.  Figure out how to use those behavioral rules, they are well worth the time.

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?

Found some stuff here for her:
https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/05/24/highlights-of-qradar-content

Might also be some info found here: 

https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/09/29/everything-you-need-to-know-about-qradar-rules

@Frank Eargle do either of these look familiar? 

We are writing a machine learning app to do it.  The built in anomaly stuff is pretty good for thresholds and stuff like that.  The best one to use is the Behavioral rule, but you have to have the query perfect and the importance values.  I have actually read some of the math involved, Gladys Koscas shared when she was at IBM.  I don't have the links available.  Figure out how to use those behavioral rules, they are well worth the time.

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?

Sorry, this somehow got buried.  Yes Gladys has left IBM but we used to work very closely with her.  Unfortunately nothing quite answers the problem of log sources stopping or a statistical anomaly in the EPS rate.  We have written our own logic as I mentioned in the previous post.  Basically we create a reference set with a time to live matching the desired time frame.  We write an update rule based on the log source group (1hr, 2hr, 24hr and clusters) which updates the reference set only when 1/2 the time has passed (in order to keep load on DB and system low).  Then we write a rule that fires an offense when an entry expires out of the reference set.  Clusters have slightly different logic.  Search this forum for how that is done, but it is basically the same methods, just that either host logging is acceptable.

Hope this helps.

-Frank

Found some stuff here for her:
https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/05/24/highlights-of-qradar-content

Might also be some info found here: 

https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/09/29/everything-you-need-to-know-about-qradar-rules

@Frank Eargle do either of these look familiar? 

We are writing a machine learning app to do it.  The built in anomaly stuff is pretty good for thresholds and stuff like that.  The best one to use is the Behavioral rule, but you have to have the query perfect and the importance values.  I have actually read some of the math involved, Gladys Koscas shared when she was at IBM.  I don't have the links available.  Figure out how to use those behavioral rules, they are well worth the time.

Long store short we have a bunch of logsources that have peaks and valleys in the EPS we are trying to create alerts if a logsource average eps drops below a baseline number. The log sources we are wanting to monitor are load balanced but they do load balancing based on proximity so we have some that have a 5 - 6 eps and some that have a 200 - 400 eps. Was thinking that if I could set a five minute baseline custom field or such I could compare previous averages and alert if a log source goes from lets say 400 eps to 150 eps. Lets have a discussion on the best way to do this or if you have seen it done what is your suggestion?