The Rule Responses window appears, which allows you to configure the action QRadar takes when the event or flow sequence is detected.
Step 11 Choose one of the following:
a If you are configuring an Event Rule, Flow Rule, or Common Rule:
Table 12-3 Event/Flow/Common Rule Response Window Parameters
Parameter Description
Rule Action
Severity Select the check box if you want this rule to set or adjust severity to the configured level. Once selected, you can configure the desired level.
Credibility Select the check box if you want this rule to set or adjust credibility to the configured level. Once selected, you can configure the desired level.
Relevance Select the check box if you want this rule to set or adjust relevance to the configured level. Once selected, you can configure the desired level.
Ensure the detected event is
part of an offense Select the check box if you want the event to be forwarded to the Magistrate component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exist, this event will be added.
If you select the check box, the following options appear:
• Index offense based on - Using the drop-down list box, select the parameter on which you want to index the offense. The default is Source IP.
For event rules, options include destination IP, destination IP identity, destination IPv6,
destination MAC address, destination port, event name, hostname, log source, rule, source IP, source IP identity, source IPv6, source MAC address, source port, or username.
For flow rules, options include App ID, destination ASN, destination IP, destination IP Identity, destination port, event name, rule, source ASN, source IP, source IP identity, or source Port.
For common rules, options include destination IP, destination IP identity, destination port, rule, source IP, source IP identity and source port.
• Annotate this offense - Select the check box if you want to add an annotation to this offense. If you select the check box, enter the annotation you want to add to the offense.
• Include detected events by <index> from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events by
<index> in the Offenses interface. This field indicates the parameter on which the offense is indexed. The default is Source IP.
Annotate event Select the check box if you want to add an
annotation to this event. If you select the check box, enter the annotation you want to add to the event.
Drop the detected event Select the check box to force an event, which would normally be sent to the Magistrate component to be sent to the Ariel database for reporting or searching.
This event does not appear in the Offenses interface.
Rule Response
Dispatch New Event Select the check box to dispatch a new event in addition to the original event or flow, which will be processed like all other events in the system.
The Dispatch New Event parameters appear when you select the check box. By default, the check box is clear.
Event Name Specify the name of the event you want to display in the Offenses interface.
Event Description Specify a description for the event. The description appears in the Annotations of the event details.
Offense Naming Select one of the following options:
• This information should contribute to the name of the associated offense(s) - Select this option if you want the Event Name information to contribute to the name of the offense(s).
• This information should set or replace the name of the associated offense(s) - Select this option if you want the configured Event Name to be the name of the offense(s).
• This information should not contribute to the naming of the associated offense(s) - Select this option if you do not want the Event Name information to contribute to the name of the Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)
Parameter Description
Severity Specify the severity for the event. The range is 0 (lowest) to 10 (highest) and the default is 0. The Severity appears in the Annotation of the event details.
Credibility Specify the credibility of the event. The range is 0 (lowest) to 10 (highest) and the default is 10.
Credibility appears in the Annotation of the event details.
Relevance Specify the relevance of the event. The range is 0 (lowest) to 10 (highest) and the default is 10.
Relevance appears in the Annotation of the event details.
High-Level Category Specify the high-level event category you want this rule to use when processing events.
For more information on event categories, see Appendix EEvent Categories.
Low-Level Category Specify the low-level event category you want this rule to use when processing events.
For more information on event categories, see Appendix EEvent Categories.
Annotate this offense Select the check box if you want to add an annotation to this offense. If you select the check box, enter the annotation you want to add to the offense.
Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)
Parameter Description
Ensure the
dispatched event is part of an offense
Select the check box if you want, as a result of this rule, the event forwarded to the Magistrate
component. If no offense has been created in the Offenses interface, a new offense is created. If an offense exists, this event will be added.
If you select the check box, the following option appears:
• Index offense based on - Using the drop-down list box, select the parameter on which you want to index the offense. The default is Source IP.
For event rules, options include destination IP, destination IP identity, destination IPv6,
destination MAC address, destination port, event name, hostname, log source, rule, source IP, source IP identity, source IPv6, source MAC address, source port, or username.
For flow rules, options include App ID, destination ASN, destination IP, destination IP Identity, destination port, event name, rule, source ASN, source IP, source IP identity, or source Port.
For common rules, options include destination IP, destination IP identity, destination port, rule, source IP, source IP identity and source port.
• Include detected events by <index> from this point forward, for second(s), in the offense - Select the check box and configure the number of seconds you want to include detected events by
<index> in the Offenses interface. This field indicates the parameter on which the offense is indexed. The default is Source IP.
Email Select the check box to display the e-mail options.
By default, the check box is clear.
Enter email
addresses to notify Specify the e-mail address(es) to send notification if this rule generates. Separate multiple e-mail addresses using a comma.
Table 12-3 Event/Flow/Common Rule Response Window Parameters (continued)
Parameter Description
SNMP Trap This parameter only appears when the SNMP Settings parameters are configured in the QRadar System Management window. For more information, see Chapter 5Setting Up QRadar.
Select the check box to send an SNMP trap.
The SNMP trap output includes system time, the trap OID, and the notification data, as defined by the Q1 Labs MIB. For more information on the Q1 Labs MIB, see Appendix AQ1 Labs MIB.
For example, the SNMP notification may resemble:
"Wed Sep 28 12:20:57 GMT 2005, QRADAR Custom Rule Engine Notification - Rule 'SNMPTRAPTest' Fired. 172.16.20.98:0 -> 172.16.60.75:0 1, Event Name: ICMP Destination Unreachable Communication with Destination Host is
Administratively Prohibited, QID:
1000156, Category: 1014, Notes:
Offense description"
Send to SysLog Select the check box if you want to log the event or flow. By default, the check box is clear.
For example, the syslog output may resemble:
Sep 28 12:39:01 localhost.localdomain