Investigating QRadar Rules and Building Blocks
Ensure you have the proper user permissions to view and maintain QRadar rules. For more information, see Assigning User Permissions for QRadar Use Case Manager.
Investigate your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in QRadar or investigate further in QRadar Use Case Manager.
Follow the suggested workflow for investigating your rules.
- Go to the Use Case Explorer page, click the list icon, and pick a template to use.
- Filter rules and building blocks by attributes, tests, content extension attributes, activity, tests, and MITRE ATT&CK tactics and techniques.
- To find the rule you want to edit or search, filter on the rule name, tactic, or technique by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
-
To create new rules, click the plus sign icon and complete the rule
wizard.
It might take several minutes for the new rule to appear in the report. To see the new rule immediately, click the Refresh icon in the report menu bar.
-
Customize the report presentation to make it easier to investigate the rules
and building blocks.
- To investigate an individual rule or building block, make sure that the report table is ungrouped, and then select the rule name to open the rule wizard.
-
To investigate multiple rules or building blocks simultaneously, click the
pencil icon in the report table to display checkboxes for each table row. Select
the relevant rules or building blocks that you want to edit, and then click
Open in rule wizard.
Note:
On QRadar 7.4.1 Fix Pack 2 or later, you can change the date range for the trend of the selected rule in the Offense creation by current rule in a certain time chart. The date range defaults back to the filtered date range (1 month) when you close and reopen the rule.
On QRadar 7.3.3, the default date range is 3 days and cannot be edited.
-
To enable or disable rules, make sure that the Rule
enabled column is visible in the report, and then switch the
toggle to On or Off.
Note:
You cannot disable an enabled rule if it has dependents. You cannot enable a rule if it has any disabled or noninstalled dependencies. A list of dependents or dependencies is available for review in the warning messages.
- Edit MITRE mappings for rules or building blocks. For more information, see Editing MITRE Mappings in a Rule or Building Block.
-
To add custom rule attributes to the selected rule or building block, follow
these steps:
- Click Open in rule wizard on the report menu bar.
- In the center pane of the screen, expand the Custom attributes section.
-
If no custom attributes are currently added to the rule, click the plus
sign icon and select the checkbox for each relevant attribute and value.
Then, click Save and apply.
Tip:
You can also define new custom attributes in this window.
-
If you want to add more values to the custom attributes already added
to the rule, click the plus sign icon for the attribute and select
values from the list.
Tip:
You can also define new custom attribute values in this window.
-
Close the wizard.
Tip:
To fully manage custom rule attributes and their values, such as editing or deleting, go to Settings > Custom Rule Attributes.
- To investigate QRadar User Behavior Analytics rules, see Investigating user behavior analytics rules.
- Visualize your rules and building blocks after you organize the report data.
- Export the report as a CSV or XML file to share with others.
- Export the MITRE mappings as a JSON file to share with others.