Sulaiman,
You might want to take a look at the QRadar Tuning App (recently released as Early Access). It is intended to assist with rules and help you identify rules that need tuning on your Console. I recently wrote up an article on how to automate rule updates, but you can use this link to get to the app as I link in the article here: How to automate rule imports for the QRadar Tuning App (XML format).
If this is indeed a cyclical rule, there should have been a system notification fired to alert you to this issue. QID 38750131 - Found custom rules cyclic dependency chain. When you see this notification, it means that, "A single rule referred to itself directly or to itself through a series of other rules or building blocks."
I'm not sure if you are still having issues with this rule, but you take a look at the tuning app or post your rule here and we can advise on how to help tune this rule more effectively. Or provide some context for the rule or a screen capture (be sure to blur sensitive info first).
Sorry for the delayed response. If this is indeed a support issue, we can discuss in a case or you can ask in the official QRadar Support forums. Let us know how we can assist further.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: 03-13-2019 05:42 PM
From: Sulaiman M
Subject: QRadar has a custom rule written to self to fire
Hi,
I have been noticing a lot of high traffic false positive from QRadar firing a rule written to the custom rule engine().
Looking at an easier way to fine-tune QRadar Alerts and I found a rule written to Qradar to itself, see below: Its creating 13K in events per 24 hours.
Thanks,
Sulaiman
------------------------------
Sulaiman M
------------------------------