Qradar

Ignore when another rule matches
When a building block or rule matches it's specific fields, do not fire matched events 
 and NOT when a subset of at least this number of these rules, in order, from the same|different source IP to the same destination IP, over this many seconds

Qradar expiring whitelist
Use AQL filter query 
 username LIKE 'testUser' and LONG(DATEFORMAT(starttime, 'yyyyMMdd')) < 20190429

Qradar global whitelist
Use Routing Rules with forwarding > bypass correlation 
 For IP ranges, use Network Hierarchy.

Reference Maps
[http://www.siem.su/docs/ibm/Technical_remarks/Reference_Data_Collections_Technical_Note.pdf]