Tuning the Active Rules That Generate Offenses
Tuning the top most noisy rules can have a significant impact on reducing false positives.
- From the QRadar Use Case Manager navigation menu, click Active Rules.
- Filter the rules according to the calendar, or by time period.
- Select parameters to exclude from the results, and click Apply Filters.
- Tune the rules by choosing from the following methods:
Toggle between the top noisy rules or all the rules from the list.
Select a group or rules from the list.
- Click Investigate.
Watch a short video to learn how to use the rule tuning wizard.
Review each individual rule and the BBs that contribute to the active rule. For each rule, you can further investigate it by clicking Show dependency tree or Edit in rule wizard.
Use the visualization diagram to further fine-tune any related options for the rule or building block, such as log source types, custom properties, or reference sets.
Review the offenses that are generated by each active rule.
Review the values in the various groups of tests, and tune if necessary.
If applicable, review the log source types and MITRE ATT&CK tactics for the rule.