IBM QRadar

Say we have a group of test systems we run tests from each week. We have rules built around the activities that we are testing but we do not want the offenses to fire criticals if the activity is from specific systems but we still want to see the activity. In the past we have taken all our Critical rules and duplicated them, creating one rule with critical alerting if the source IP is not in a reference set and one rule that alerts a duplicate, but named differently, event with no critical alert and the systems source ip is in the reference set.

I.E. Rule: Crowdstrike Critical - Multiple attempts to do something - With critical alerting

Duplicate rule: Red Team Crowdstrike Critical - Multiple attempts to do something - With no critical alerting

Is there a good way to do the same thing without duplicating the rules and then maintaining two different rules when tuning is needed. 

------------------------------
Russell Lieneman
------------------------------

If all you are after is a different offense naming conditional on some properties then there are multiple ways to achieve that. For example create an AQL property with the required conditions and index your offense on it:

If ReferenceSetContains('MyRefSet1',sourceip) Then Concat('CRITICAL - ', sourceip) ELSE STR(sourceip)

Original Message:
Sent: Thu September 18, 2025 04:26 PM
From: Russell Lieneman
Subject: Create one of two differently named offenses without duplicating rules

Say we have a group of test systems we run tests from each week. We have rules built around the activities that we are testing but we do not want the offenses to fire criticals if the activity is from specific systems but we still want to see the activity. In the past we have taken all our Critical rules and duplicated them, creating one rule with critical alerting if the source IP is not in a reference set and one rule that alerts a duplicate, but named differently, event with no critical alert and the systems source ip is in the reference set.

I.E. Rule: Crowdstrike Critical - Multiple attempts to do something - With critical alerting

Duplicate rule: Red Team Crowdstrike Critical - Multiple attempts to do something - With no critical alerting

Is there a good way to do the same thing without duplicating the rules and then maintaining two different rules when tuning is needed. 

------------------------------
Russell Lieneman
------------------------------

Interesting, never done that before. Where would you use the AQL? Is it somewhere in the rule? Pardon the questions.

If all you are after is a different offense naming conditional on some properties then there are multiple ways to achieve that. For example create an AQL property with the required conditions and index your offense on it:

If ReferenceSetContains('MyRefSet1',sourceip) Then Concat('CRITICAL - ', sourceip) ELSE STR(sourceip)

Original Message:
Sent: Thu September 18, 2025 04:26 PM
From: Russell Lieneman
Subject: Create one of two differently named offenses without duplicating rules

Say we have a group of test systems we run tests from each week. We have rules built around the activities that we are testing but we do not want the offenses to fire criticals if the activity is from specific systems but we still want to see the activity. In the past we have taken all our Critical rules and duplicated them, creating one rule with critical alerting if the source IP is not in a reference set and one rule that alerts a duplicate, but named differently, event with no critical alert and the systems source ip is in the reference set.

I.E. Rule: Crowdstrike Critical - Multiple attempts to do something - With critical alerting

Duplicate rule: Red Team Crowdstrike Critical - Multiple attempts to do something - With no critical alerting

Is there a good way to do the same thing without duplicating the rules and then maintaining two different rules when tuning is needed. 

------------------------------
Russell Lieneman
------------------------------