Hi,
I have a reference set with domains and I want to create a rule that when a domain is contained in that reference set the qradar creates an offense.
But I want a partial match and not a complete match. The final objective is to identify the subdomains of the domains contained in the reference set.

------------------------------
Edgar Faria
------------------------------

Hi Edgar. I don't believe you can use a partial match in a rule without an AQL or a search. I crafted something to help you get started but it will need some adjustments to narrow it down such as QID of the event your are looking for and maybe a response limit. You could also look for the specific value as I did in the query and export a CSV from QRadar to help you get those values (which could work in your case):

select "Domain ID" from events where "Domain ID" like '%' and REFERENCESETCONTAINS('EDGAR_SET', "Domain ID") GROUP BY "Domain ID" ORDER BY "Domain ID" DESC LAST 20 MINUTES

The problem with it is, it will match ALL domains OR domains in the reference-set which will make it a rather big search or rule. As I said, this can help you get started in it but will need adjustments to be specific to your environment.

------------------------------
Bruno Silva
------------------------------

Original Message:
Sent: Tue July 28, 2020 10:12 AM
From: Edgar Faria
Subject: partial match in a reference set

Hi,
I have a reference set with domains and I want to create a rule that when a domain is contained in that reference set the qradar creates an offense.
But I want a partial match and not a complete match. The final objective is to identify the subdomains of the domains contained in the reference set.

------------------------------
Edgar Faria
------------------------------

Hi,

I would just extract custom property and match it against that.

Cheers,
Ankit

------------------------------
Ankit Sharma
------------------------------

Original Message:
Sent: Tue July 28, 2020 10:12 AM
From: Edgar Faria
Subject: partial match in a reference set

Hi,
I have a reference set with domains and I want to create a rule that when a domain is contained in that reference set the qradar creates an offense.
But I want a partial match and not a complete match. The final objective is to identify the subdomains of the domains contained in the reference set.

------------------------------
Edgar Faria
------------------------------

Last time I checked, only full matches were supported against reference data set entries. As I was told, it might be possible to do it with some custom functions, but event then you would limit it to very small collections - as such functions would be quite heavy on resources.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Tue July 28, 2020 10:12 AM
From: Edgar Faria
Subject: partial match in a reference set

Hi,
I have a reference set with domains and I want to create a rule that when a domain is contained in that reference set the qradar creates an offense.
But I want a partial match and not a complete match. The final objective is to identify the subdomains of the domains contained in the reference set.

------------------------------
Edgar Faria
------------------------------