Question & Answer
Question
What is the Response Limiter?
The Response Limiter in QRadar is an important option for fine-tuning how custom rules can react to events.
What does the response limiter do?
The Response Limiter regulates the frequency with which a rule does its designated actions over a period. In essence, it places a cap on how many times the rule carries out its matching event response execution. The response limiter thus keeps your system from becoming overloaded with warnings in instances when events happen quickly.
Doesn't Limit Rule Matching: Even with response limiter option active, the rule still evaluates every event that meets its defined criteria. It controls how the rule responds to those matching events.
Feature | Affected By Response Limiter Option |
Rule Matching | NO |
Offense Creation(if configured) | NO |
Custom Actions | YES |
Notifications | YES |
Rather than focusing on whether the event meets the criteria of the rule, the response limiter analyses how the rule reacts to a matching event.
Email can be effectively limited with the response limiter feature. The response limiter helps keep the mailbox from being overloaded with messages from the same rule during times of high event activity. It aids in maintaining your attention on urgent alerts.
For instance, imagine a rule that triggers an email notification for every failed login attempt. With the Response Limiter, you can set a threshold, for example 10 emails per minute. Thus, you're alerted to the issue but avoids an overwhelming incoming surge of emails for individual failed attempts.
While the Response Limiter excels at managing rule actions like limiting emails, it can indirectly affect offense creation in a specific scenario:
Alternative Approaches for Dynamic Offense Naming:
Within the custom event definition, you can embed the logic for dynamically generating the offense name that uses event data.
This approach separates offense creation from the Response Limiter, ensuring that all relevant events contribute to offenses with the proper names.
Answer
By design, the Response Limiter only limits the items in the Rule Response section of the Rule Wizard:
The custom rule still will match every event that matches the defined tests, and those matching events will be flagged as having matched the rule.
However, after the threshold in the Response Limiter has been met, any of the response items will be suppressed until the Response Limiter time has expired.
There are some changes in rule response behaviour and match count behaviour that took place between 7.4.3 UP1 and and 7.5.0. UP5.
Roughly the changes were:
7.4.3 FP1 - Response Limiters of stateless rules reset when all associated offenses closed for a particular rule index.
7.4.3 FP3 - Match count counters reset if associated offenses closed for a particular rule index
7.4.3 FP7/7.5.0 UP3 - Response Limiters for stateful and stateless rules reset when any associated offense closed for a particular rule index.
Was this topic helpful?
Document Information
Modified date:
09 July 2024
UID
ibm10719333