Configure Rule-Based Scanning
In QRadar, you can create a rule based on SIEM data. If the rule conditions are present, a scan launches on the requested IP address. You can also right-click an IP address in QRadar to initiate a scan. When scans launch, rules with the associated IP address scan Tenable.io and Tenable.sc.
A background script runs periodically to launch scans on the IP address. The default time for run is 1200 seconds.
Complete the following steps to create a rule in your Tenable application for IBM QRadar SIEM .
To create a rule:
On the IBM QRadar SIEM console, click the button.
The Menu options appear.
The Offenses menu appears.
In the Offenses menu, click Rules.
The Rules page appears.
In the Rules menu, click Actions.
A drop-down box appears.
Select one of the New Rule options.
The Rule Wizard window appears.
Note: If you experience difficulties with user interface elements, problems may exist with your browser. Try again from a different browser.
Select the source where the rules are generated.
The Rule Wizard: Rule Response window appears.
Rule Wizard: Rule Response Configuration
In the Rule Response section, click the check box for Ensure the detected event is part of an offense.
Click the check box for Add to a Reference Set.
A drop-down appears.
Add the Tenable source IP.Note:
If you want to launch a scan for source IP and destination for both Tenable.io and Tenable.sc, you must create four rules:
- Scan source IP with Tenable.io
- Scan source IP with Tenable.sc
- Scan destination IP with Tenable.io
- Scan destination IP with Tenable.sc.
- After you make your rules selections, click Finish.
Caution: Without the Ensure the detected event is part of an offense and Add to a Reference Set settings enabled, QRadar cannot create an event in the All Offenses category of the Offenses tab of the dashboard. The All Offenses category is where you can review the vulnerabilities you set the rules for.