Hi Team,
I'm trying to create a rule condition in QRadar where I can perform a reverse containment check — i.e., instead of checking whether a field's value is contained in a reference set, I want to check if any value in the reference set is contained within a specific extracted field.
Example scenario:
Extracted field: URL → value from the log is abcd.com/1
Reference set: Suspicious URLs → contains values like abcd.com, xyz.com, etc.
In QRadar, I can configure a rule like:
AND when any of URL are contained in any of Suspicious URLs
However, this only matches if the entire URL field exactly matches a value in the reference set.
I want to reverse this logic — something like:
AND when any of Suspicious URLs are contained in the URL field
So if abcd.com exists in the reference set and the URL is abcd.com/1, it should match.
Is this kind of reverse containment check possible in QRadar rule logic?
If not, are there any workarounds ?
Thanks in advance!