Tuning the Active Rules That Generate CRE Events
The Custom Rules Engine (CRE) event report shows which active rules generate CRE events. In many cases, a rule response is configured to generate CRE events, along with the offense or without it. The report shows which CRE events were generated most by which rule. In general, if the event is generated many times per day, the rule is firing too often. Consider tuning the rule. For example, 1 or 2 Source IPs in the report are related to all the CRE events generated by the rule. The Source IP might need to be added to one of Host Definition BBs that are referenced by the rule. Select the rule and click Investigate to see which Host Definition to update.
You can also use this report to test the rules. In this case, the rule response does not include the offense creation, only the CRE event dispatch. If the report shows that the rule is firing too often, consider tuning it. If you're using CRE events to test the rule, and the number of generated CRE events is only a few per week, change the rule response to generate an offense.
- From the navigation menu, click CRE Report.
- Filter the rules according to the calendar, or by time period.
- Select the number of results to return, and click Apply.
- Tune the rules by choosing from the following methods:
Toggle between the topmost noisy rules or all the rules from the list.
Select a group or rules from the list.
- Click Investigate.
Review each individual rule and the BBs that contribute to the CRE event. For each rule, you can further investigate it by clicking Show dependency tree or Edit in rule wizard.
Use the visualization diagram to further fine-tune any related options for the rule or building block, such as log source types, custom properties, or reference sets.
Review the events that are generated by the current rule you selected.
To instantly refresh the rules from QRadar, click the Refresh icon. Otherwise, the app automatically updates data from the Console every 15 minutes.
Review the threshold values in the tests, and tune if necessary.
Review the values in the various groups of tests, and tune if necessary.