Tuning the Active Rules That Generate Offenses
Tuning the top most noisy rules can have a significant impact on reducing false positives.
- From the QRadar Use Case Manager main menu, click Active Rules.
-
Apply filters to the active rules to fine-tune your investigation.
- Filter the rules that started to contribute to offenses according to the calendar or by timeframe. The default date is in the last three days. Change the timeframe, or choose to filter the rules that began to contribute to offenses between specific dates and times.
- Select parameters to exclude offenses from the results, such as hidden or closed offenses. Offenses that are marked for follow-up are flagged for further investigation. You might have offenses that you want to retain regardless of the retention period; those offenses are protected to prevent them from being removed from QRadar after the retention period elapses. Inactive offenses can be removed from visualization so that reports aren't cluttered.
- Select the closure reason for an offense. For example, you can filter to see which rules generated the offenses that were closed as false positives. Rules with many false positives likely need tuning. Offenses that are closed as a non-issue are usually considered not critical to your organization.
- Click Apply Filters.
-
Review the Offenses by rule, Offenses by category and rule, Closed
offenses by reason and rule, Events count trend by rule, and
Offense creation trend by rule charts.
Tip:
The Offense creation trend by rule chart is supported on QRadar 7.4.1 Fix Pack 2 or later.
- Hover over the chart segments to see more details about an offense.
- Hide or show chart legends.
- Click legend keys to fine-tune the chart display.
- Zoom in for further investigation.
- Expand bar and timeline charts to full screen.
- Export bar and timeline charts to CSV, PNG, or JPG formats.
- View bar and timeline chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
-
In the table, tune the rules by choosing from the following methods:
-
Toggle between the top noisy rules or all the rules from the list.
-
Add more rules to investigate by selecting a group of rule or an individual rule from the list.
Tip:The Event count column in the report indicates how many events the rule associated to the offenses counted in the Offense count column. The Event count column is supported on QRadar 7.4.1 Fix Pack 2 or later.
-
-
Click Investigate.
-
Watch a short video to learn how to use the rule wizard.
-
Review each individual rule and the BBs that contribute to the active rule. For each rule, you can further investigate it by clicking Show dependency tree or Edit in rule wizard.
-
Use the visualization diagram to further fine-tune any related options for the rule or building block, such as log source types, custom properties, or reference sets.
-
Review the offenses that are generated by each active rule.
-
Review the values in the various groups of tests, and tune if necessary.
-
Review the MITRE ATT&CK mappings for the rule, and edit if necessary.
-
To add custom rule attributes to the selected rule or building block, see Step 10 in Investigating QRadar rules and building blocks.
-
To investigate QRadar User Behavior Analytics rules, see Investigating user behavior analytics rules.
-
To return to the Active Rules page, click Active Rules in the breadcrumbs.
-
- To export selected rule data in the report to CSV format that you can further process or view in Excel, select the relevant checkboxes and then click Export.