Custom Rule Attributes
A custom rule attribute represents a specific piece of information that you can attach to a rule that doesn't fit into existing rule attributes. For example, the use case the rule belongs to, the team who is responsible for creating or maintaining the rule, or who reviewed the rule.
You can define any custom rule attribute and its values, assign the custom attribute values to a rule, and add the custom attribute as a report column on the Use Case Explorer page. Custom rule data appears only for installed rules. Then, you can search for the attribute to fine-tune the report, which is useful when the rule list is long.
Attribute Examples
Define another cyber adversary framework that is not supported by default by QRadar Use Case Manager, such as the Cyber Kill Chain. Then create attribute values for each of the seven steps in the Cyber Kill Chain. For more information, see https://www.computer.org/publications/tech-news/trends/what-is-the-cyber-kill-chain-and-how-it-can-protect-against-attacks.
Create tags with arbitrary values, such as a year or status of the rule. For example, "2021", "In review", "Out-of-date", or "Deprecated".
Define security use cases, such as threat detection, cloud services, user behavior analysis, or network traffic analysis.