Hi,
your rule looks like this
thats all you need but:
- you still have to enable it, pls double check at rule summary
- rule type needs to be event rule (trivial)
- the event QID selected needs to hit Qradar after you enabled the rule - double check in log activity
- rule eventually needs to be deployed to your event processor (distributed architecture?)
- rule action and response need to be set accordingly
"However the event count continues to be 0 even though events have been generated." that explains why you see no reaction . Which event count do you refer to? which rule action and which response did you choose? as events, metaevents and rules are correlated depending on your rule settings made, results can differ in many ways. Pls explain what you expect and what you get
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Wed February 24, 2021 03:29 AM
From: Ather Mobeen
Subject: Rule not triggered
Hi guys,
I'm currently facing difficulties creating custom rules for QRadar.
I'm trying to set a rule that will trigger when a specific event has occurred.
I have set the rule logic to apply to events set to local system AND when Qid is ******************* .
However the event count continues to be 0 even though events have been generated.
Did I miss out a step
------------------------------
Ather Mobeen
------------------------------