IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Isn't 'over' meaning and 'more than' meaning the same in Rules?

  • 1.  Isn't 'over' meaning and 'more than' meaning the same in Rules?

    Posted Tue August 03, 2021 02:45 AM

    I set this rule:

    • when all of these "BB:CategoryDefinition: Firewall or ACL Accept", in order, from the same source IP to any destination IP, over 5 minutes

    Less than 5 seconds later, an offense occurred.

    I understood that offense occur in this rule when it is more than 5 minutes.

    What does 'over' mean in QRadar's Rules?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Isn't 'over' meaning and 'more than' meaning the same in Rules?
    Best Answer

    Posted Tue August 03, 2021 05:23 AM

    Hi,

    Over 5 minutes, meaning NOT more than 5 minutes .

    When the rule encounters a first matching event, 5 minutes counter starts from that point onward and in five minutes from now, whether or not all criteria are being matched. If matched, condition evaluates to be TRUE else FALSE.

    Hope it helps.



    #QRadar
    #Support
    #SupportMigration


Related Content