IBM Security QRadar

 View Only
  • 1.  Custom Rule

    Posted Thu July 14, 2022 11:11 AM

    Hi,

    I tried to exclude(And NOT) if source and destination IP are the same, but I could not find the option for this in Rule Wizard.

    How I can add this condition, anyone please help get this resolved.

    Thanks



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Custom Rule

    Posted Thu July 14, 2022 02:37 PM

    You can use AQL query and Call it in the rule



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Custom Rule

    Posted Thu August 18, 2022 06:09 AM

    Thanks Thobiyas.


    I tried using the below query and it works in search, but getting different error when I tried to add in rule wizard.


    SELECT sourceip, destinationip FROM events WHERE sourceIP

    != destinationip GROUP BY sourceIP


    Error:

    "You must specify at least one column in the Group By list to create a rule of this type. Edit the saved search and try again. "


    Any idea how to resolve it.



    Thanks

    Arunkumar




    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Custom Rule

    Posted Fri December 02, 2022 07:22 AM
    Hi,
    You can use this stack in the rule wizard.

    when this property equals this property

    This can be modified as

    and NOT when Source IP not equals Destination IP



    ------------------------------
    Arunkumar R
    ------------------------------