I would like to set rule, if qradar does not find the string in event payload for one week? How can I do it?
I am looking to list of conditions, but I did not find any suitable condition. I have this:
when the event(s) have not been detected by one or more of there log source types for this many seconds
However I think it is not very suitable for me, because I need to work with payload. Could someone help me how to solve this problem?
One approach to resolve this problem is to use reference sets. A concept for this is explained here. You need two rules and a reference set:
Create a reference set and configure the time to live to the duration when the absence should be detected.
Set up a rule that triggers on the pattern whose absence you want to detect. In your case a string in the payload. Select "Add to a Reference Set" as rule response. Use the reference set from above.
Create a second rule which triggers on Event Name (or QID) "Reference Data Expiry". Maybe you need a custom event property for the name of the reference set and/or the expired element too. With this CEP you can test for the expiry of the item added from rule 1.
