IBM QRadar's Building Blocks are components that group commonly used tests for building complex rules, allowing network administrators to test specific sets of IPs or events without associated actions. Custom rules in QRadar detect unusual network activity by analyzing events and flow data, utilizing a custom rules engine to generate alerts when specific criteria are met. Local rules process data on the individual event processor, while global rules allow for cross-processor event matching, optimizing detection of coordinated anomalies such as multiple login failures.

1. IBM Qradar
BuildingBlok & Rules
What is Qradar BuildingBlok & Rules ?

2. BuildingBlok
▪ Building blocks group commonly used tests to build complex logic so that they can
be used in rules.
▪ Building blocks use the same tests that rules use, but have no actions that are
associated with them.They're often configured to test groups of IP addresses,
privileged user names, or collections of event names. For example, you might
create a building block that includes the IP addresses of all mail servers in your
network, then use that building block in another rule, to exclude those hosts.The
building block defaults are provided as guidelines, which can be reviewed and
edited based on the needs of your network.
▪ Building blocks are tested before rules are tested. !

3. BuildingBlok cont..
▪ Example
BB:HostDefinition
Proxy Servers
BB:NetworkDefinition
NAT Address Range
BB:NetworkDefinition
Trusted Network
Virus Definition and Other Update Servers
BB:HostDefinition
Proxy Servers
BB:NetworkDefinition
NAT Address Range
BB:NetworkDefinition
Trusted Network
BB:HostDefinition
Virus Definition and Other Update Servers
BB:HostDefinition
Proxy Servers
BB:NetworkDefinition
NAT Address Range
BB:NetworkDefinition
Trusted Network

4. Rules
▪ What are rules?
▪ Custom rules test events, flow, and offenses to detect unusual activity in your
network.You create new rules by using AND and OR combinations of existing rule
tests. Anomaly detection rules test the results of saved flow or events searches to
detect when unusual traffic patterns occur in your network. Anomaly detection
rules require a saved search that is grouped around a common parameter.

5. Rules cont.…
▪ How do rules work?
▪ QRadar Event Collectors gather events from local and remote sources,
normalizes these events, and classifies them into low-level and high-level
categories. For flows, QRadar QFlow Collectors read packets from the wire
or receive flows from other devices and then converts the network data to
flow records. Each Event Processor processes events or flow data from the
QRadar Event Collectors. Flow Processors examine and correlate the
information to indicate behavioral changes or policy violations.The custom
rules engine (CRE) processes events and compares them against defined
rules to search for anomalies. When a rule condition is met, the Event
Processor generates an action that is defined in the rule response.The CRE
tracks the systems that are involved in incidents, contributes events to
offenses, and generates notifications.

6. Rules cont.…
▪ How is an offense created from a rule?
– QRadar creates an offense when events, flows, or both meet the test criteria that is
specified in the rules.
– QRadar analyzes the following information:
– Incoming events and flows
– Asset information
– Known vulnerabilities

7. Edit Rules
▪ Local or Global ? hmmm
– If you select Local, all rules are processed on the Event Processor on which they were
received and offenses are created only for the events that are processed locally.
– If you select Global, all matching events are sent to the QRadar Console for processing
and therefore, the QRadar Console uses more bandwidth and processing resources.
– IBM SAYS >>
>> Global rule tests
Use global rules to detect things like "multiple user login failures" where the events from that user might appear on multiple Event
Processors. For example, if you configured this rule for 5 login failures in 10 minutes from the same user name, and set as a Local rule,
all 5 of those login failures must appear on the same Event Processor.Therefore, if 3 login failures were on one Event Processor and 2
were on another, no offense is generated. However, if you set this rule to Global, it generates an offense. <<
Use global rules to detect things like "multiple user login failures" where the events from that user might appear on multiple Event Processors. For example, if you configured this rule

8. Ref.
▪ https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.
ibm.qradar.doc/c_qradar_rul_mgt.html
▪ https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.
ibm.qradar.doc/t_qradar_create_cust_rul.html