IBM Security QRadar

Hi all,

I want to create an offense if a reference set is empty. I want to do this because we want to monitor if we stop receiving log form all the members of a log source group (they are configured in an active/passive cluster so we can receive logs only form some of them at any time).

What we did is create 2 reference set with TTL the monitor period (12 h). One will hold the active log sources and the other the passive. We have 2 other rules that move the log sources between the 2 reference sets when they change their state. (P.S. we can do this only with the active ones, however we're testing out the logic)

We could not find the option from the rules to trigger the offense.

Hi,

just an idea: how about the following rule test expression out of the rule wizard: and when the event (s) have not been detected by one or more of these log source groups for this many seconds?

Regards,

Ralph

Hi Ralph,

we tried this already, but an offense is triggered because of the passive node, this is the reason we're trying to implement the monitoring with the reference sets. We want to have an offense when ALL the log sources from the group fail AT ONCE, not just one of them at a time.

Hi, have you ever found a solution?

------------------------------
MRe
------------------------------