IBM Security QRadar

I have been reading QRadar component documentation and I've the following hypothetical question: let's imagine a distributed deployment with appliances for Event Collector, Event Processor, Flow Collector, Flow Processor and a console (not an All-in-one). As far as I know, events are processed by the CRE that resides in QRadar Event Processor. Flows are processed in QRadar Flow Processor. But, what happens with common rules (those that use flows and events)? who is responsible of processing this type of rules that search for event and flow data?

Thanks in advanced

------------------------------
A CG
------------------------------

As I recall from "way back", flow records were "converted" to the common format and sent from flow to event collector instance - thus enabling functioning of common rules and event/flow correlation.

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Sun September 08, 2019 11:23 AM
From: A CG
Subject: Question about common rules processing

I have been reading QRadar component documentation and I've the following hypothetical question: let's imagine a distributed deployment with appliances for Event Collector, Event Processor, Flow Collector, Flow Processor and a console (not an All-in-one). As far as I know, events are processed by the CRE that resides in QRadar Event Processor. Flows are processed in QRadar Flow Processor. But, what happens with common rules (those that use flows and events)? who is responsible of processing this type of rules that search for event and flow data?

Thanks in advanced

------------------------------
A CG
------------------------------

Hi,
The fields found in both the event and flows are checked to trigger a common rule. For example, the field Source IP may be seen in both  Log Activity and Network Activity and can therefore be used to trigger the common rule. The rule triggers only when seen in both.
The knowledge center has a definition of this under the Rule Types section in Rules.

Regards.
Sree

------------------------------
SREE ANANTHASAYANAM
------------------------------

Original Message:
Sent: Mon September 09, 2019 04:22 AM
From: Dusan VIDOVIC
Subject: Question about common rules processing

As I recall from "way back", flow records were "converted" to the common format and sent from flow to event collector instance - thus enabling functioning of common rules and event/flow correlation.

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Sun September 08, 2019 11:23 AM
From: A CG
Subject: Question about common rules processing

I have been reading QRadar component documentation and I've the following hypothetical question: let's imagine a distributed deployment with appliances for Event Collector, Event Processor, Flow Collector, Flow Processor and a console (not an All-in-one). As far as I know, events are processed by the CRE that resides in QRadar Event Processor. Flows are processed in QRadar Flow Processor. But, what happens with common rules (those that use flows and events)? who is responsible of processing this type of rules that search for event and flow data?

Thanks in advanced

------------------------------
A CG
------------------------------

Hi,
     Common rules still have the option of being local or global so you need to configure it based on your deployment:
Local = Events and flows going to the same VM
Global = Events & Flows going to different VM's, therefore correlation is done at the console level.

Cheers

------------------------------
Brian Robertson
------------------------------

Original Message:
Sent: Sun September 08, 2019 11:23 AM
From: A CG
Subject: Question about common rules processing

I have been reading QRadar component documentation and I've the following hypothetical question: let's imagine a distributed deployment with appliances for Event Collector, Event Processor, Flow Collector, Flow Processor and a console (not an All-in-one). As far as I know, events are processed by the CRE that resides in QRadar Event Processor. Flows are processed in QRadar Flow Processor. But, what happens with common rules (those that use flows and events)? who is responsible of processing this type of rules that search for event and flow data?

Thanks in advanced

------------------------------
A CG
------------------------------