Hi,
The following link outlines the procedure to create a custom rule
https://www.ibm.com/docs/en/qsip/7.5?topic=rules-creating-custom-rule
There are a number of tests which you can use to check for events coming to logsources or logsource types
- when the event(s) have not been detected by one or more of these log source types for this many seconds
- when the event(s) have not been detected by one or more of these log sources for this many seconds
- when the event(s) have not been detected by one or more of these log source groups for this many seconds
You can then have a rule response to generate an offense.
Thanks
------------------------------
John Dawson
Qradar Support Architect
IBM
------------------------------
Original Message:
Sent: Wed April 03, 2024 03:26 AM
From: Venkateshwaran S
Subject: Trigger offense when log source is not ingesting events to QRadar
Can someone help me with the QRadar rule to trigger an offense when an log source don't ingest events to QRadar in the last 30 minutes time? While this sounds very basic, I being new to QRadar would expect someone to help with the QRadar rule to achieve this. Thanks.
------------------------------
Venkateshwaran S
------------------------------