IBM Security QRadar

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------

Hi Brian,

When it comes to metrics on your top talking rules, would it help for you to create a report the top talking rules, and then add a trending chart to that data?

------------------------------
DRAYTON GRAHAM
------------------------------

Original Message:
Sent: 03-08-2019 10:19 AM
From: Brian Brehart
Subject: Log of rules firing

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------

Drayton,

It might at that. Do you have a recommendation as to how to make that go? 

Thanks,
Brian

------------------------------
BrianBrehart
------------------------------

Original Message:
Sent: 03-08-2019 11:35 AM
From: DRAYTON GRAHAM
Subject: Log of rules firing

Hi Brian,

When it comes to metrics on your top talking rules, would it help for you to create a report the top talking rules, and then add a trending chart to that data?

------------------------------
DRAYTON GRAHAM

Original Message:
Sent: 03-08-2019 10:19 AM
From: Brian Brehart
Subject: Log of rules firing

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------

Another option would be to configure a rule response to dispatch a new event for any particular rule you wish to track.    You could then search and report on the dispatched events to analyze rule hit times, rates, trends, etc. 

Thanks,
Shannon Tompkins

------------------------------
SHANNON TOMPKINS
------------------------------

Original Message:
Sent: 03-08-2019 12:16 PM
From: Brian Brehart
Subject: Log of rules firing

Drayton,

It might at that. Do you have a recommendation as to how to make that go? 

Thanks,
Brian

------------------------------
BrianBrehart

Original Message:
Sent: 03-08-2019 11:35 AM
From: DRAYTON GRAHAM
Subject: Log of rules firing

Hi Brian,

When it comes to metrics on your top talking rules, would it help for you to create a report the top talking rules, and then add a trending chart to that data?

------------------------------
DRAYTON GRAHAM

Original Message:
Sent: 03-08-2019 10:19 AM
From: Brian Brehart
Subject: Log of rules firing

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------

You may want to use the SIEM Tuning Report (CRE event report) as a starting point.
Look at about 36 minutes into the following (Tuning Methodology):
QRadar Open Mic #24 Replay: Let's talk about Tuning QRadar (16 May 2017)

YouTube		remove preview
QRadar Open Mic #24 Replay: Let's talk about Tuning QRadar (16 May 2017) This video provides a replay of IBM Security QRadar Open Mic #24: "Let's talk about Tuning QRadar" that was hosted on 16 May 2017. The presentation for this Open Mic is available as a PDF at http://ibm.co/2qsGhOJ - For your convenience, the following time stamps are provided... View this on YouTube >

------------------------------
Kelly Abbott
------------------------------

Original Message:
Sent: 03-11-2019 08:25 AM
From: SHANNON TOMPKINS
Subject: Log of rules firing

Another option would be to configure a rule response to dispatch a new event for any particular rule you wish to track.    You could then search and report on the dispatched events to analyze rule hit times, rates, trends, etc. 

Thanks,
Shannon Tompkins

------------------------------
SHANNON TOMPKINS

Original Message:
Sent: 03-08-2019 12:16 PM
From: Brian Brehart
Subject: Log of rules firing

Drayton,

It might at that. Do you have a recommendation as to how to make that go? 

Thanks,
Brian

------------------------------
BrianBrehart

Original Message:
Sent: 03-08-2019 11:35 AM
From: DRAYTON GRAHAM
Subject: Log of rules firing

Hi Brian,

When it comes to metrics on your top talking rules, would it help for you to create a report the top talking rules, and then add a trending chart to that data?

------------------------------
DRAYTON GRAHAM

Original Message:
Sent: 03-08-2019 10:19 AM
From: Brian Brehart
Subject: Log of rules firing

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------

Sorry I didn't get back sooner, but did that Open Mic help with what you were looking for?

------------------------------
DRAYTON GRAHAM
------------------------------

Original Message:
Sent: 03-08-2019 12:16 PM
From: Brian Brehart
Subject: Log of rules firing

Drayton,

It might at that. Do you have a recommendation as to how to make that go? 

Thanks,
Brian

------------------------------
BrianBrehart

Original Message:
Sent: 03-08-2019 11:35 AM
From: DRAYTON GRAHAM
Subject: Log of rules firing

Hi Brian,

When it comes to metrics on your top talking rules, would it help for you to create a report the top talking rules, and then add a trending chart to that data?

------------------------------
DRAYTON GRAHAM

Original Message:
Sent: 03-08-2019 10:19 AM
From: Brian Brehart
Subject: Log of rules firing

Greetings,
Is there a log in QRadar that tracks the time and date a particular rule fired? We're looking to use this for metrics so that we can show the increase or reduction in the number of times a rule was activated.

Thanks

------------------------------
BrianBrehart
------------------------------