Identifying Gaps in QRadar Rule Coverage from Content Extensions
Content extensions update IBM QRadar security information or add new content such as rules, reports, searches, reference sets, and custom properties. Filter the rule report by content extensions to see how you can increase rule coverage for log sources or MITRE tactics and techniques in your environment by installing content extensions from the IBM Security App Exchange.
IBM QRadar Use Case Manager automatically syncs with QRadar each day at midnight. If you install a content extension from the IBM Security App Exchange, you might not see updated rule coverage for up to 24 hours later. To immediately sync the rule coverage with QRadar, go to the configuration page and clear the cache for the app.
You can use predefined templates to see recommended content extensions to install or currently installed extensions, or manually filter your report results by content extension attributes. Predefined templates are available through the template icon on the menu bar of the rule report. Select the template you'd like to use from the categories in the template filter list.
- On the Use Case Explorer page, go to the filters in the Content extension attributes section. By default, QRadar Use
Case Manager filters on the installed content extensions in your environment.
To include any IBM-created content extensions that are not installed in your environment in your search, select the Include non-installed content extensions checkbox.
To filter only the content extensions that are not installed in your environment, select Include non-installed content extensions and then select Include only non-installed content extensions.
- Filter by specific content extension name from a list of currently installed extensions or the ones that aren't yet installed in your environment.
- Filter by specific content extension categories from the IBM Security App Exchange.
- Add the following columns to the rule report as needed: Content extension: Content extension name, Content extension: Content
category, and Rule attributes: Rule installed. If
you don't immediately see the columns in the report, ungroup the table
Any content extensions in the report that aren't installed in your environment are indicated in the Rule name column by a Missing content icon. Hover over each icon to see which content extension can provide the missing rules.
- To see details about a rule that is not currently installed, click the rule name. Exploring the rule details helps you determine whether the rule can add important coverage in your environment, and then you can download the content extension that contains the rule.
- To customize how the table rows are grouped, click the Configure grouping arrow icon on the tree structure icon.
Select the columns that you want to group by selecting the corresponding checkbox. Only groupable columns that are currently listed in the report are shown, in the order in which they appear in the report.
As you make your selections, a sample of what the report looks like displays in the Configure options for grouping rows window.
To show only the number of child rows in the report, select the corresponding checkbox.
Make your selections and then click Apply.
- To download the content extension, click the link in the Content extension name column to go to the extension's page in the IBM Security App Exchange. If QRadar Assistant 2.0.0 app is installed in your QRadar deployment, you can download the content extension from there.
- To clear the report results, click Clear filters, choose new filters in the left pane, and then click Apply filters to display new results.