Filtering Rules and Building Blocks by Their Properties
Tune your rules or building blocks by filtering their attributes, such as type, origin, group, and many more. Tune your rules or building blocks by filtering them based on their test definitions. For example, you can add a test that matches only events from a specific log source. Examine and improve your MITRE ATT&CK coverage by filtering your rules based on their mappings to tactics and techniques.
If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Mapping Custom Rules or Building Blocks to MITRE Tactics.
The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. The only exception to the rule is in the Other tests filter group, where the AND condition is used for multiple options of that filter group. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon).
- On the Rules Explorer page, expand the filters in the Rule attributes section. The following list describes some of the rule attributes you can filter:
- Expand the filters in the Rule tests section. The following list describes some of the rule tests you can filter:
- Expand the filters in the MITRE ATT&CK section. The following options are available to filter:
- To clear the report results, click Clear filters, choose new filters in the left pane, and then click Apply to display new results.