Press ESC to close

IBM QRadar: How to Create a Rule for Log Source Monitoring

Create a Custom Rule
You can create a custom rule to generate an offense or send notifications when logs stop coming from any log source.
  1. Go to the Rules Section:
    • Navigate to Offenses > Rules.
    • Click Actions > New Event Rule.

Then you will Rule Wizard window.
In this step, use the default parameter.

after that, you will finally see the main configuration for your rule.
2. Define the Rule Conditions:
     Steps:
  • In the rule editor, click on Test Group and choose from the drop-down list Log Source Test
  • Search for and select parameter ‘when the event(s) have not been detected by’.
  • Set the ‘of these log sources’ and ‘this many’(e.g., 10 minutes(set in seconds)).

For example, in the screenshot, I named rule test_wather then I set “and when the event(s) have not been detected by one or more of SRV-WIN-XXX for 6000 seconds” selected Group “System” and added Notes “log source monitoring“:

3. Add Response to the Rule:
  • Under the Response tab, choose the response(s) to make when an event triggers this rule.
    • Click Manage Destinations
    • In the open window click add: To add a new destination.
    • In the open window Forwarding Destination Properties: Set your destination properties and click Save. For example, in the screenshot, I set the destination on a server by using tcp protocol. 

After that, you can see your created Destination. Choose it and click finish

Now in Offenses, you can see your created rule. For example, in the screenshot, I created Rule test_wather.

Now if your log source stops coming, you will see a message about it. For example, in the screenshot, Rule send a message on the server by tcp protocol. 

The post IBM QRadar: How to Create a Rule for Log Source Monitoring appeared first on SOC Prime.

Leave a Reply

Your email address will not be published. Required fields are marked *