QEFC Exclude From Correlation
QEFC Exclude From Correlation for IBM Security QRadar SIEM is an extension that allows users to temporarily prevent rules from generating new offenses for specific offense sources (username, IP address, etc.).
The application is useful when the incident response team has already identified a compromised host or username and do not need further notifications for the same source until the asset is fully recovered.
QEFC package contains the following security content:
- QRadar application (a new button on the offense details page and configuration page in Admin tab);
- A custom rule which matches event/flow property (Username and Source IP by default) with data in the reference set populated with a button click.
QRadar Native Alternatives
There is no such native functionality in QRadar. Analysts must manually change all rules that might trigger the required property.
Open Source / Apache 2.
IBM App Exchange
Available as a complimentary app within a commercial tool purchase.