Hi Team,
I want to configure a rule in QRadar that will generate an offense if no logs are received from two specific log sources (DC & DR) within a window of 3600 seconds (1 hour).The idea is to monitor the availability of these two log sources (configured in an Active-Passive setup), and if both stop sending logs for an hour, an offense should be triggered.Could someone please guide me on the best way to achieve this in QRadar? Specifically, I have explored the rule conditions but encountered the following limitations:1. Log Source Type – Both log sources are tagged under the same group, but the offense triggers if either log source stops sending logs. It seems to treat each log source separately.2. Log Source Group – This also treats the log sources as separate entities and doesn’t help in monitoring both collectively.3. Log Sources Condition – I’m unable to add two log sources under one log absence condition. When I try, it again treats them as separate sources, triggering the rule even if only one stops sending logs.
Do yourself a huge favor and use the QMLA app. It has specific functionality for HA groups and reduces things to a single rule.
You can add them to a single group and apply rule condition to the LSG.
No Worries, I have created AQL query for this workflow !!