IBM® QRadar building blocks

Building blocks group commonly used tests to build complex logic so that they can be used in rules.

Building blocks use the same tests that rules use, but have no actions that are associated with them. They're often configured to test groups of IP addresses, privileged user names, or collections of event names. For example, you might create a building block that includes the IP addresses of all mail servers in your network, then use that building block in another rule, to exclude those hosts. The building block defaults are provided as guidelines, which can be reviewed and edited based on the needs of your network.

You can configure the host definition building blocks (BB:HostDefinition) to enable QRadar® to discover and classify more servers on your network. If a particular server is not automatically detected, you can manually add the server to its corresponding host definition building block. This action ensures that the appropriate rules are applied to the particular server type. You can also manually add IP address ranges instead of individual devices.