IBM QRadar

Hello,

I created a rule with a response that adds the username and log source time to a reference map. Where username is the reference map key and log source time is the reference map value. Works great.

I need to create a rule that removes data from that reference map. However, all I have is the username. When the event that triggers this new rule occurs I do not know what the original log source time was for that username in the reference map.

I do not see any options in the Rule Wizard that would allow me to remove from a reference map given just the key.

Am I missing something? If not, anyone have any ideas how to accomplish the second rule? A co-worker recommended having the second rule fire a custom action that would get all the items from the reference map, find the username I am after, get the value, then delete that entry. Should work, just seems like a lot of effort.

Thanks

Hi,

not quite sure what exactly you are trying to achieve. However if you identify the username in the map in the rule test i.e. test on ref map using username and logsource time found in the map you remove this entry in the response part of the rule without needing to know what log source time it has attached to it. All you need is the username as key to identify the correct entry in the map. No need to script around

BR Karl