Filtering Rules and Building Blocks by their Properties
Tune your rules or building blocks by filtering their attributes, such as type, origin, group, and many more. Tune your rules or building blocks by filtering them based on their test definitions. For example, you can add a test that matches only events from a specific log source. Examine and improve your MITRE ATT&CK coverage by filtering your rules based on their mappings to tactics and techniques.
If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE Mappings in a Rule or Building Block.
The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. The only exception to the rule is in the Other tests filter group, where the AND condition is used for multiple options of that filter group. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon).
As you select filters, the unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker color background.
- On the Use Case Explorer page, select from the filters
in the Rule attributes section. The following list describes
some of the rule attributes you can filter:
Enter a specific rule name or search for it by using regular expressions.
Enable or disable the appropriate rules to ensure that your system generates meaningful offenses for your environment.
Filter by custom or anomaly detection rules in the report. Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network. Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network.
Categorize the rules or building blocks into groups to help you efficiently view and track your rules. For example, you can view all rules that are related to compliance. Select specific groups or click Select all.
Select the action that you want the rule to take when an event occurs.
Select the response that you want QRadar to take when a rule is triggered.
Creation and modification dates
Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.
Enter a specific note or search for it by using regular expressions. For example, you can enter ^$ to find rules with empty notes and then add information to the note.
- Select from the filters in the Rule tests section.
The following list describes some of the rule tests you can filter:
Enter a specific test definition or search for it by using regular expressions.
Log source type
A rule relates to log source types if it directly references the log source type, or if it references a log source, QID, or event category that maps to the log source type. By default, you see only the log source types that are used by log sources in your QRadar environment. Click Show all types to see the log source types that you can use directly in a test or by the QID or event categories.
A rule relates to log sources when the log source that is referenced by a test is used in the rule. Use the search filter to find specific log sources to filter or click Select all to filter all of the log sources in the list. You can filter on the log source name or by using a regular expression. This type of search is useful when you have hundreds of thousands of log sources in your environment.
Log source group
A rule relates to log source groups when a log source in the log source group that is referenced by a test is used in the rule. For example, you can select sensor device as the log source group and see only rules that run tests on log sources that are part of the sensor device log source group.
A rule can work in the context of a single domain or in the context of all domains. If there is more than one domain in your environment, they are added to the filter list. Use this option to filter the domains in a multi-domain environment by each individual domain. To add a domain column to the rule report, click the gear icon and select Domain in the Test option, and then click Apply filters. For more information about creating domains, see Creating domains.
Hover over each checkbox label to see the specific rule tests. For example, search for a rule that references a specific value of a test, such as an IP like "Identity IP is not 0."
To identify source IP addresses only, add a column for Test: IP, and then a source filter in the Test definition field.
If you have multi-tenancy, use the Domain test to distinguish rules from one tenant to another. Select domain filter, add domain column.
If you're looking for custom properties or reference sets, use the predefined templates.
If you want to see the log source types that are used or unused, select the appropriate filter. For example, the Log source coverage by rule template shows the rules that are related to log source types based on tests. Assume that 342 log source types are available in your environment. To see only the rules for log source types that are currently used (log source types that have at least 1 log source), select the Log source type - used filter.
- Select from the filters in the MITRE ATT&CK section. The following options are available to filter:
Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.
Select techniques from the list. The techniques are pre-filtered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.
Indicates mappings that are assigned a specific level of confidence for rule coverage.
Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.
- If you have many log sources in your environment, you can search for specific ones by using the Search field in the Filters pane and then select them to fine-tune the report. This search can make it easy to find a specific filter in the large list of filters and log sources.
- To filter content extension attributes, follow the steps in Identifying Gaps in QRadar Rule Coverage from Content Extensions.
- To clear the report results, click Clear filters, choose new filters in the left pane, and then click Apply filters to display new results.