Thanks for asking...kindly specify exact scenario. Also, alert suppression is normally done in following ways/methods.
1. response limiter option in offense config 2. Function properties w.r.t time 3. OR by editing the log-source e.g wincollect where you can specify which events get suppressed through filters.
Thx, Much appreciated. The scenario is, specific External source IP is communicating with the Internal source IP. As per client information it is a legitimate traffic. Want to suppress the alert so we can reduce the noise level. I know in Source fire and RSA envision there is an option to suppress the alert, like once in an hour and so on.But need to know how it works in QRadar.
Real simple just make a rule first under offense window. Click next and right at bottom you see rule response limit option use that it will cover your requirement.
A good tool to tune your Qradar is the Health Check Framework. The tool provides with different metrics and a roadmap to troubleshoot and maintane Qradar
I am trying to set up response limiter (not more than 1 response per 24 hours per Source IP) while the events are indexed with Source IP. I still see responses every 5-10 mins from the same IP
How to suppress the alert in QRadar?
ReplyDeleteThanks for asking...kindly specify exact scenario. Also, alert suppression is normally done in following ways/methods.
Delete1. response limiter option in offense config
2. Function properties w.r.t time
3. OR by editing the log-source e.g wincollect where you can specify which events get suppressed through filters.
Thx, Much appreciated.
ReplyDeleteThe scenario is, specific External source IP is communicating with the Internal source IP. As per client information it is a legitimate traffic. Want to suppress the alert so we can reduce the noise level. I know in Source fire and RSA envision there is an option to suppress the alert, like once in an hour and so on.But need to know how it works in QRadar.
Real simple just make a rule first under offense window. Click next and right at bottom you see rule response limit option use that it will cover your requirement.
Deletehi Guys,
ReplyDeletei have added a custom Name from Regex, now i want to remove the Custom Name. how shall i removed
A good tool to tune your Qradar is the Health Check Framework. The tool provides with different metrics and a roadmap to troubleshoot and maintane Qradar
ReplyDeleteYou can get different me
https://www.scnsoft.com/services/security-intelligence-services/health-check-framework-for-ibm-qradar-siem
I am trying to set up response limiter (not more than 1 response per 24 hours per Source IP) while the events are indexed with Source IP. I still see responses every 5-10 mins from the same IP
ReplyDelete