IBM QRadar

I have a particular rule that I want to have priority over all other rules when generating offenses on an event.  Some of the other rules may be unknown ahead of time. So, for example, imagine I have 5000 offense rules:

Rule 1:  Triggers on all events from Log Source Type A.  Some events from this log source type are of high-level category Exploit, and some are not.  Some of these events have a source IP address in the 10.0.2.0/24 subnet, and some do not.

Rule 2:  Triggers on all events of high-level category Exploit.

Rule 3:  Triggers on all events with a source IP address in subnet 10.0.2.0/24

Rules 4 - 5000:  Trigger on assorted conditions that might or might not be met by events from Log Source Type A

I want all events from Log Source Type  A to trigger Rule 1 and I want them to avoid triggering any of rules 2-5000.

I do not want to modify rules 2-5000.  That's too many, especially considering that I might need other high-priority rules like Rule 1 in the future, the conditions on Rule 1 might change, and this could end up being overly complex.

Can this be done?  Will the "Bypass further rule correlation event" checkbox help?  I'm concerned that setting that option for Rule 1 won't do any good if Rule 3 has already fired.

------------------------------
Dan Zerkle
------------------------------

Dan,

OMG. Where to start? 1st of all: 5000 rules are 4000 rules too many. Never seen that before in 12 years of QRadar. Where to they come from? History? Self developed?
QRadar has 1000+ rules available out of the box. Pls use usecase manager to enable those that may fit for your environment and disable those who dont. Some more questions. "Triggers" means the rules are firing a metaevent or offenses or both? Makes a big difference! What rule types are beeing used?

Trying to answer your questions:

• rule 1 : all events? no category test? no IP filter? no test at all but logsource type? bad idea anyway!
• rule 2: at least filter on log source type not used in rule 1 should be applied as those events are processed a 2nd time
• rule 3: again all events are processed using one test only - why?
• rule 4 - 5000: 4995 rules on one logsource type? what for? why not put your test conditions in fewer rules? If you are looking for OR conditions those can be put in reference lists or BBs

Rules are multimatch as you know. If you dont want to change 5000 rules you may have an even bigger problem. What about rule performance BTW? There are ways to change more than one rule at a time using use case manager and thus reduce complexity of your rule sets.

Bypass further rule correlation event checkbox will make other rules to be ignored for the matching events in rule 1, i.e. it will bypass further rule processing for those  events. If rule 3 has fired already you may be fine fine but it wont fire again after condition of rule 1 has been met, i.e. rule 1 events are "lost". It can be done but I am skeptical that this is what you want. Why not test your rules on a dedicated test system?

QRadar Documentation about bypass parameter says: Forces the matched event or flow to bypass all other rules in the rule engine and prevents it from creating an offense. The event is written to storage for searching and reporting.

Pls provide rule summary for rule 1-10 if you got more questions and I might be able to help.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Fri April 08, 2022 03:35 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

I have a particular rule that I want to have priority over all other rules when generating offenses on an event.  Some of the other rules may be unknown ahead of time. So, for example, I have 5000 offense rules:

Rule 1:  Triggers on all events from Log Source Type A.  Some events from this log source type are of high-level category Exploit, and some are not.  Some of these events have a source IP address in the 10.0.2.0/24 subnet, and some do not.

Rule 2:  Triggers on all events of high-level category Exploit.

Rule 3:  Triggers on all events with a source IP address in subnet 10.0.2.0/24

Rules 4 - 5000:  Trigger on assorted conditions that might or might not be met by events from Log Source Type A

I want all events from Log Source Type  A to trigger Rule 1 and I want them to avoid triggering any of rules 2-5000.

I do not want to modify rules 2-5000.  That's too many, especially considering that I might need other high-priority rules like Rule 1 in the future, the conditions on Rule 1 might change, and this could end up being overly complex.

Can this be done?  Will the "Bypass further rule correlation event" checkbox help?  I'm concerned that setting that option for Rule 1 won't do any good if Rule 3 has already fired.

------------------------------
Dan Zerkle
------------------------------

No, I don't really have 5000 rules.  As I wrote, that's just "for example".  I made up the 5000 because to make sure nobody tells me to go modify all the rules that might match, because that would quickly become too complex.

The point is that I have a rule that creates an offense.  If an event matches the conditions for that rule, I want to make sure it triggers no other rule, and I don't want to modify all the other rules that might match.  (Because there are a lot of them, because I don't know what all of them are, because the conditions on that rule might change, and because there might be new ones in the future.)

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Wed April 13, 2022 12:50 PM
From: Karl Jaeger
Subject: Setting QRadar rule priority?

Dan,

OMG. Where to start? 1st of all: 5000 rules are 4000 rules too many. Never seen that before in 12 years of QRadar. Where to they come from? History? Self developed?
QRadar has 1000+ rules available out of the box. Pls use usecase manager to enable those that may fit for your environment and disable those who dont. Some more questions. "Triggers" means the rules are firing a metaevent or offenses or both? Makes a big difference! What rule types are beeing used?

Trying to answer your questions:

• rule 1 : all events? no category test? no IP filter? no test at all but logsource type? bad idea anyway!
• rule 2: at least filter on log source type not used in rule 1 should be applied as those events are processed a 2nd time
• rule 3: again all events are processed using one test only - why?
• rule 4 - 5000: 4995 rules on one logsource type? what for? why not put your test conditions in fewer rules? If you are looking for OR conditions those can be put in reference lists or BBs

Rules are multimatch as you know. If you dont want to change 5000 rules you may have an even bigger problem. What about rule performance BTW? There are ways to change more than one rule at a time using use case manager and thus reduce complexity of your rule sets.

Bypass further rule correlation event checkbox will make other rules to be ignored for the matching events in rule 1, i.e. it will bypass further rule processing for those  events. If rule 3 has fired already you may be fine fine but it wont fire again after condition of rule 1 has been met, i.e. rule 1 events are "lost". It can be done but I am skeptical that this is what you want. Why not test your rules on a dedicated test system?

QRadar Documentation about bypass parameter says: Forces the matched event or flow to bypass all other rules in the rule engine and prevents it from creating an offense. The event is written to storage for searching and reporting.

Pls provide rule summary for rule 1-10 if you got more questions and I might be able to help.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri April 08, 2022 03:35 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

I have a particular rule that I want to have priority over all other rules when generating offenses on an event.  Some of the other rules may be unknown ahead of time. So, for example, I have 5000 offense rules:

Rule 1:  Triggers on all events from Log Source Type A.  Some events from this log source type are of high-level category Exploit, and some are not.  Some of these events have a source IP address in the 10.0.2.0/24 subnet, and some do not.

Rule 2:  Triggers on all events of high-level category Exploit.

Rule 3:  Triggers on all events with a source IP address in subnet 10.0.2.0/24

Rules 4 - 5000:  Trigger on assorted conditions that might or might not be met by events from Log Source Type A

I want all events from Log Source Type  A to trigger Rule 1 and I want them to avoid triggering any of rules 2-5000.

I do not want to modify rules 2-5000.  That's too many, especially considering that I might need other high-priority rules like Rule 1 in the future, the conditions on Rule 1 might change, and this could end up being overly complex.

Can this be done?  Will the "Bypass further rule correlation event" checkbox help?  I'm concerned that setting that option for Rule 1 won't do any good if Rule 3 has already fired.

------------------------------
Dan Zerkle
------------------------------

Hi Dan,
if you are using examples pls stay realistic! As outlined before there is no concern about using the Bypass checkbox if thats what you want. Its used by default rules and it will work! If it meets your expectations is another story.
the proof of the pudding is in the eating
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed April 13, 2022 03:10 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

No, I don't really have 5000 rules.  As I wrote, that's just "for example".  I made up the 5000 because to make sure nobody tells me to go modify all the rules that might match, because that would quickly become too complex.

The point is that I have a rule that creates an offense.  If an event matches the conditions for that rule, I want to make sure it triggers no other rule, and I don't want to modify all the other rules that might match.  (Because there are a lot of them, because I don't know what all of them are, because the conditions on that rule might change, and because there might be new ones in the future.)

------------------------------
Dan Zerkle

Original Message:
Sent: Wed April 13, 2022 12:50 PM
From: Karl Jaeger
Subject: Setting QRadar rule priority?

Dan,

OMG. Where to start? 1st of all: 5000 rules are 4000 rules too many. Never seen that before in 12 years of QRadar. Where to they come from? History? Self developed?
QRadar has 1000+ rules available out of the box. Pls use usecase manager to enable those that may fit for your environment and disable those who dont. Some more questions. "Triggers" means the rules are firing a metaevent or offenses or both? Makes a big difference! What rule types are beeing used?

Trying to answer your questions:

• rule 1 : all events? no category test? no IP filter? no test at all but logsource type? bad idea anyway!
• rule 2: at least filter on log source type not used in rule 1 should be applied as those events are processed a 2nd time
• rule 3: again all events are processed using one test only - why?
• rule 4 - 5000: 4995 rules on one logsource type? what for? why not put your test conditions in fewer rules? If you are looking for OR conditions those can be put in reference lists or BBs

Rules are multimatch as you know. If you dont want to change 5000 rules you may have an even bigger problem. What about rule performance BTW? There are ways to change more than one rule at a time using use case manager and thus reduce complexity of your rule sets.

Bypass further rule correlation event checkbox will make other rules to be ignored for the matching events in rule 1, i.e. it will bypass further rule processing for those  events. If rule 3 has fired already you may be fine fine but it wont fire again after condition of rule 1 has been met, i.e. rule 1 events are "lost". It can be done but I am skeptical that this is what you want. Why not test your rules on a dedicated test system?

QRadar Documentation about bypass parameter says: Forces the matched event or flow to bypass all other rules in the rule engine and prevents it from creating an offense. The event is written to storage for searching and reporting.

Pls provide rule summary for rule 1-10 if you got more questions and I might be able to help.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri April 08, 2022 03:35 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

I have a particular rule that I want to have priority over all other rules when generating offenses on an event.  Some of the other rules may be unknown ahead of time. So, for example, I have 5000 offense rules:

Rule 1:  Triggers on all events from Log Source Type A.  Some events from this log source type are of high-level category Exploit, and some are not.  Some of these events have a source IP address in the 10.0.2.0/24 subnet, and some do not.

Rule 2:  Triggers on all events of high-level category Exploit.

Rule 3:  Triggers on all events with a source IP address in subnet 10.0.2.0/24

Rules 4 - 5000:  Trigger on assorted conditions that might or might not be met by events from Log Source Type A

I want all events from Log Source Type  A to trigger Rule 1 and I want them to avoid triggering any of rules 2-5000.

I do not want to modify rules 2-5000.  That's too many, especially considering that I might need other high-priority rules like Rule 1 in the future, the conditions on Rule 1 might change, and this could end up being overly complex.

Can this be done?  Will the "Bypass further rule correlation event" checkbox help?  I'm concerned that setting that option for Rule 1 won't do any good if Rule 3 has already fired.

------------------------------
Dan Zerkle
------------------------------

As you point out, the "Bypass further rule correlation event" documentation says that this option prevents the event from creating an offense, and I want events that match Rule 1 to create an offense (but only from Rule 1). So, it doesn't look like this option meets my needs.

------------------------------
Dan Zerkle
------------------------------

Original Message:
Sent: Thu April 14, 2022 05:00 AM
From: Karl Jaeger
Subject: Setting QRadar rule priority?

Hi Dan,
if you are using examples pls stay realistic! As outlined before there is no concern about using the Bypass checkbox if thats what you want. Its used by default rules and it will work! If it meets your expectations is another story.
the proof of the pudding is in the eating
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Wed April 13, 2022 03:10 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

No, I don't really have 5000 rules.  As I wrote, that's just "for example".  I made up the 5000 because to make sure nobody tells me to go modify all the rules that might match, because that would quickly become too complex.

The point is that I have a rule that creates an offense.  If an event matches the conditions for that rule, I want to make sure it triggers no other rule, and I don't want to modify all the other rules that might match.  (Because there are a lot of them, because I don't know what all of them are, because the conditions on that rule might change, and because there might be new ones in the future.)

------------------------------
Dan Zerkle

Original Message:
Sent: Wed April 13, 2022 12:50 PM
From: Karl Jaeger
Subject: Setting QRadar rule priority?

Dan,

OMG. Where to start? 1st of all: 5000 rules are 4000 rules too many. Never seen that before in 12 years of QRadar. Where to they come from? History? Self developed?
QRadar has 1000+ rules available out of the box. Pls use usecase manager to enable those that may fit for your environment and disable those who dont. Some more questions. "Triggers" means the rules are firing a metaevent or offenses or both? Makes a big difference! What rule types are beeing used?

Trying to answer your questions:

• rule 1 : all events? no category test? no IP filter? no test at all but logsource type? bad idea anyway!
• rule 2: at least filter on log source type not used in rule 1 should be applied as those events are processed a 2nd time
• rule 3: again all events are processed using one test only - why?
• rule 4 - 5000: 4995 rules on one logsource type? what for? why not put your test conditions in fewer rules? If you are looking for OR conditions those can be put in reference lists or BBs

Rules are multimatch as you know. If you dont want to change 5000 rules you may have an even bigger problem. What about rule performance BTW? There are ways to change more than one rule at a time using use case manager and thus reduce complexity of your rule sets.

Bypass further rule correlation event checkbox will make other rules to be ignored for the matching events in rule 1, i.e. it will bypass further rule processing for those  events. If rule 3 has fired already you may be fine fine but it wont fire again after condition of rule 1 has been met, i.e. rule 1 events are "lost". It can be done but I am skeptical that this is what you want. Why not test your rules on a dedicated test system?

QRadar Documentation about bypass parameter says: Forces the matched event or flow to bypass all other rules in the rule engine and prevents it from creating an offense. The event is written to storage for searching and reporting.

Pls provide rule summary for rule 1-10 if you got more questions and I might be able to help.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]

Original Message:
Sent: Fri April 08, 2022 03:35 PM
From: Dan Zerkle
Subject: Setting QRadar rule priority?

I have a particular rule that I want to have priority over all other rules when generating offenses on an event.  Some of the other rules may be unknown ahead of time. So, for example, I have 5000 offense rules:

Rule 1:  Triggers on all events from Log Source Type A.  Some events from this log source type are of high-level category Exploit, and some are not.  Some of these events have a source IP address in the 10.0.2.0/24 subnet, and some do not.

Rule 2:  Triggers on all events of high-level category Exploit.

Rule 3:  Triggers on all events with a source IP address in subnet 10.0.2.0/24

Rules 4 - 5000:  Trigger on assorted conditions that might or might not be met by events from Log Source Type A

I want all events from Log Source Type  A to trigger Rule 1 and I want them to avoid triggering any of rules 2-5000.

I do not want to modify rules 2-5000.  That's too many, especially considering that I might need other high-priority rules like Rule 1 in the future, the conditions on Rule 1 might change, and this could end up being overly complex.

Can this be done?  Will the "Bypass further rule correlation event" checkbox help?  I'm concerned that setting that option for Rule 1 won't do any good if Rule 3 has already fired.

------------------------------
Dan Zerkle
------------------------------