IBM QRadar

 View Only

 Reverse Containment Check: Can QRadar Rule Conditions Check if a Reference Set Value is Contained in an Extracted Field?

Hitesh Sungar's profile image
Hitesh Sungar posted Wed July 30, 2025 03:18 PM

Hi Team,

I'm trying to create a rule condition in QRadar where I can perform a reverse containment check — i.e., instead of checking whether a field's value is contained in a reference set, I want to check if any value in the reference set is contained within a specific extracted field.

Example scenario:

Extracted field: URL → value from the log is abcd.com/1

Reference set: Suspicious URLs → contains values like abcd.com, xyz.com, etc.

In QRadar, I can configure a rule like:

AND when any of URL are contained in any of Suspicious URLs

However, this only matches if the entire URL field exactly matches a value in the reference set.
I want to reverse this logic — something like:

AND when any of Suspicious URLs are contained in the URL field

So if abcd.com exists in the reference set and the URL is abcd.com/1, it should match.

Is this kind of reverse containment check possible in QRadar rule logic?
If not, are there any workarounds ?

Thanks in advance!