IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  API Connection cut-off rule filter

    Posted Tue July 18, 2023 04:00 AM

    Hi,

    I want to create a rule about API connection is cut-off for 1 min. I used below filters but it doesn't worked.

    APPLY API has not connected to Qradar for 10 Minutes on events which are detected by the LOCAL system
    AND when the event(s) were detected by one or more of SIM Audit-2 :: qradar
    AND when the event QID is one of the following (28250286) API request successful
    AND when the event matches Username is any of API_USER
    AND NOT when at least events are seen with the same Username in 1 minutes
    How can I fix this rule? Thanks,


    ------------------------------
    İsmail Kaya
    ------------------------------


  • 2.  RE: API Connection cut-off rule filter

    Posted Tue August 22, 2023 03:20 PM
    Edited by İsmail Kaya Tue August 22, 2023 03:21 PM

    Hi all,

    Is there any suggestion.

    Note: Api request failure event doen't occur for this user.

    Thanks for your response.



    ------------------------------
    İsmail Kaya
    ------------------------------

    Original Message


Related Content