Exploring QRadar Rules

Tune your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in IBM QRadar or investigate further in IBM QRadar Use Case Manager.

Tune your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in IBM QRadar or investigate further in IBM QRadar Use Case Manager.

Ensure you have the proper user permissions to view and maintain QRadar rules. For more information, see Assigning User Permissions for QRadar Use Case Manager.

Follow the suggested workflow for investigating your rules.

1. Go to the Rules Explorer page.
2. Filter rules and building blocks by attributes, tests, and MITRE ATT&CK tactics and techniques.
3. To find the rule you want to edit or search, filter on the rule name, tactic, or technique by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
4. Use predefined templates or create custom templates.
5. Customize the report presentation to make it easier to investigate the rules and building blocks.

   

6. Visualize your rules and building blocks after you organize the report data.
7. Edit MITRE mappings for rules or building blocks. For more information, see Mapping Custom Rules or Building Blocks to MITRE Tactics.
8. Export the report as a CSV file to share with others.
9. Export the MITRE mappings as a JSON file to share with others.

Filtering Rules and Building Blocks by Their Properties