Create a Rule

In QRadar, you can create a rule based on SIEM data. If the rule conditions are found, a scan launches on the requested IP address. You can also right click an IP address in QRadar to initiate a scan. When scans are launched, rules with the associated IP address scan Tenable.io and Tenable.sc.

A background script runs periodically to launch scans on the IP address. The default time for run is 1200 seconds.

Complete the following steps to create a rule in your Tenable application for IBM QRadar SIEM .

To create a rule:

  1. On the IBM QRadar SIEM console, click the button.

    The Menu options appear.

  2. Click Offenses.

    The Offenses menu appears.

  3. In the Offenses menu, click Rules.

    The Rules page appears.

  4. In the Rules menu, click Actions.

    A drop-down box appears.

  5. Select one of the New Rule options.

    The Rule Wizard window appears.

  6. Click Next.
  7. Select the source where the rules are generated.

  8. Click Next.

  9. Follow the Rule Wizard steps to continue the rule configurations.

    Note: In the Rule Response section, you must add the Tenable source IP.

    1. In the Rule Response section, click the Add to a Reference check box.

      A drop-down appears.

    2. In the drop-down, select Tenable.io scan IP or Tenable.sc scan IP.

    Note: If you want to launch a scan for source IP and destination for both Tenable.io and Tenable.sc, you must create four rules: 1) Scan source IP with Tenable.io, 2) Scan source IP with Tenable.sc, 3) Scan destination IP with Tenable.io, and 4) Scan destination IP with Tenable.sc.

  10. After you make your rules selections, click Finish.