IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  domain specific rules

    Posted Wed August 04, 2021 09:59 AM

    I am trying to understand the necessity of domain specific rules...

    If I am an MSSP that has customers A, B, C segmented into domains A, B, C and each domain has a dedicated processor, is there still a need to specify that a certain rule should only trigger for domain A? If all rules are designated as local then the domain specific CRE on the processor for domain A will only evaluate rules based on events specific to domain A, so there would be no need to designate a rules as only firing for domain A? Am I correct in my assumption?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: domain specific rules
    Best Answer

    Posted Wed August 04, 2021 10:13 AM

    The main reason to have Domain specific rules is to allow you to implement different Use Cases for different Domains/Tenants.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: domain specific rules
    Best Answer

    Posted Wed August 04, 2021 10:31 AM

    Hi Paul

    thanks and I understand that.

    To your mind, if, for example, I want a simple auth rule that triggers after 5 fails in 5 mins only to trigger for Domain A & B, do I still have to mark that rule as being for Domain A & B only? Won't it trigger for those domains purely based on the events that are being collected/evaluated on their respective domain dedicated processors/CRE?



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: domain specific rules
    Best Answer

    Posted Wed August 04, 2021 10:42 AM

    Firstly, stateful rules will have a counter per-domain (unless you have the 'ANY domain' filter in the rule)

    Secondly - as you state for your environment that these are 'Local' rules and each domain is processed by one and only one EP - then those counters would be separated to the local EP anyway.

    The Domain filters are to handle more complex situations than your environment:

    • Global Rules
    • Domains which are not defined by EC/EP
    • Domains which span multiple EC/EP appliances
    • Rules which are only to be applied to a specific Domain (or which have different thresholds for stateful filters in each Domain)
    • Stateful rules which aggregate over the entire deployment and not just one Domain
    • etc...



    #QRadar
    #Support
    #SupportMigration


  • 5.  RE: domain specific rules
    Best Answer

    Posted Wed August 04, 2021 04:41 PM

    Rule trigger based on conditions made in that if your rule does not have any domain-specific condition then rule trigger whenever any domain event matches the condition, here rule segregation is required to identify domain-specific offenses and other management purposes like to identify active rules of the domain and do a gap analysis etc.,



    #QRadar
    #Support
    #SupportMigration


Related Content