# Qradar

# Ignore when another rule matches

When a building block or rule matches it's specific fields, do not fire matched events

```
and NOT when a subset of at least this number of these rules, in order, from the same|different source IP to the same destination IP, over this many seconds
```

# Qradar expiring whitelist

Use AQL filter query

```
username LIKE 'testUser' and LONG(DATEFORMAT(starttime, 'yyyyMMdd')) < 20190429
```

# Qradar global whitelist

Use Routing Rules with **forwarding > bypass correlation**

For IP ranges, use Network Hierarchy.

# Reference Maps

[http://www.siem.su/docs/ibm/Technical_remarks/Reference_Data_Collections_Technical_Note.pdf]