IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Custom Rule

    Posted Thu July 14, 2022 11:11 AM

    Hi,

    I tried to exclude(And NOT) if source and destination IP are the same, but I could not find the option for this in Rule Wizard.

    How I can add this condition, anyone please help get this resolved.

    Thanks



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Custom Rule

    Posted Thu July 14, 2022 02:37 PM

    You can use AQL query and Call it in the rule



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Custom Rule

    Posted Thu August 18, 2022 06:09 AM

    Thanks Thobiyas.


    I tried using the below query and it works in search, but getting different error when I tried to add in rule wizard.


    SELECT sourceip, destinationip FROM events WHERE sourceIP

    != destinationip GROUP BY sourceIP


    Error:

    "You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again. "


    Any idea how to resolve it.



    Thanks

    Arunkumar




    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Custom Rule

    Posted Fri December 02, 2022 07:22 AM
    Hi,
    You can use this stack in the rule wizard.

    when this property equals this property

    This can be modified as

    and NOT when Source IP not equals Destination IP



    ------------------------------
    Arunkumar R
    ------------------------------

    Original Message


Related Content