Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Investigating QRadar Rules and Building Blocks

Ensure you have the proper user permissions to view and maintain QRadar rules. For more information, see Assigning User Permissions for QRadar Use Case Manager.

Investigate your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in QRadar or investigate further in IBM QRadar Use Case Manager.

Follow the suggested workflow for investigating your rules.

  1. Go to the Use Case Explorer page.
  2. Filter rules and building blocks by attributes, tests, content extension attributes, and MITRE ATT&CK tactics and techniques.
  3. To find the rule you want to edit or search, filter on the rule name, tactic, or technique by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
  4. Use predefined templates or create custom templates.
  5. Customize the report presentation to make it easier to investigate the rules and building blocks.
  6. Visualize your rules and building blocks after you organize the report data.
  7. Edit MITRE mappings for rules or building blocks. For more information, see Editing MITRE Mappings in a Rule or Building Block.
  8. Export the report as a CSV file to share with others.
  9. Export the MITRE mappings as a JSON file to share with others.