IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Whitelisting a false positive

    Posted Sat October 12, 2019 08:02 AM
    Hi,

    Trying to whitelist a false positive offense.

    In a log source there are two types of events...
    Event 1, signals a suspicious situation.
    Event 2, signals a situation as occurred from a certain machine.

    Now there is a similarity...
    If event 1 occurs and event 2 has occurred in the same minute with the same username
    Then the event is false positive.

    Is there a way to combine does events and make a rule to filter out the false positives within qradar?


    ------------------------------
    Jan-dirk Prins
    ------------------------------


  • 2.  RE: Whitelisting a false positive

    Posted Fri October 25, 2019 10:16 AM
    Hi @Jan Prins,

    There's always a way for everything.
    As you are sure that if event 2 occurs around event 1, it is false positive, it makes it relatively easy. You can achieve this in many ways:Bulding Blocks, Rules etc.
    But in rules if you go to Test Group "Functions - Sequence"​, you will see many tests for you.
    You may create a buliding block with event 1 matching and building block with event 2 matching. The idea is : When BB2 matches when BB1 has matched in some time with the same username in any order.

    Hope this helps.


    ------------------------------
    Chinmay Kulkarni
    ------------------------------

    Original Message


Related Content