QRadar XDR

 View Only

Don't understand error "Do not mix lack of device event tests with any other event test conditions"

  • 1.  Don't understand error "Do not mix lack of device event tests with any other event test conditions"

    Posted Mon November 04, 2019 04:58 PM
    Edited by Richard Giesige Mon November 04, 2019 04:59 PM

    Hello,

    I'm trying to tune out some alerts for an flow offense with a bunch of different "AND NOT" statements. When I put an AQL statement in at the bottom of the filter I get a warning "Please do not mix lack of device events test with any other event test conditions" I'm not really understanding what this means in my context.

    Current Rule:
    Apply {Rule Name} on flows which are detected by the Local system
    and when the source bytes is greater than 500000000
    and when the flow context is Local to Remote
    and when the source network is Server_Networks
    and NOT when any of Destination IP, Source IP are contained in any of {Whitelist 1}, {Whitelist 2}
    and NOT when the destination network is External_Networks
    and NOT when the source network is {Defined Networks}
    and NOT when any of Destination Port are contained in any of {Reference List}

    What I would like is to add a rule for a specific flow AQL to this rule:
    and NOT when the flow matches (INCIDR('10.0.0.0/24', sourceip) OR INCIDR('10.1.0.0/24',sourceip)) AND INCIDR('8.8.8.0/24',destinationip) AQL filter query

    Once I add this to the rule I get the error I mentioned above. I don't feel that I have a lack of device event. I'm just trying to filter out communication from the offense for these ranges and external destination.

    Any help would be great on the explanation of the specific error.

    Thanks


    #AQL #Offense #Filter #Error
    ------------------------------
    Richard Giesige
    ------------------------------
    ​​​​​