Predefined Report Content Templates
Predefined content templates define the filters and columns of the rule reports, including column order and sorting options.
Rule Dependencies
Rules perform tests on events, flows, or offenses, and if all the conditions of a test are met, the rule generates a response. The tests in each rule can also reference other building blocks and rules; these relationships are called dependencies.
|
Name |
Description |
|---|---|
|
Default template - All rules |
See a default view of your rules in QRadar; building blocks are not included in this view. |
|
Reference sets per rule |
For each rule that uses reference sets in a rule test, show the reference sets. |
|
Reference sets per rule including test definition |
For each rule that uses reference sets in a rule test, show the reference sets and the rule tests. |
|
Number of reference sets per rule |
See how many reference sets are referenced by each rule. |
|
Rules per reference set |
For each reference set that is used by a rule, show the rules that use it and the rule tests. |
|
Rules per custom property |
For each custom property used by a rule, show the rules that use it and the rule tests. Use this report to identify custom properties that have the same purpose but a different name. Or see whether your new log source can be expanded by the rules that use a custom property that is applicable for the new log source. |
|
Log source coverage by rules - my log sources only |
For each log source type, show which rules are related to it. Use this report to help you determine which log sources need more coverage. |
|
Log source coverage by rules |
For each log source type, show which rules are related to it. |
|
Log source coverage by rules including tests |
For each log source type, show which rules are related to it and which tests tie the rule to the log source type. Use this report to help you determine which devices need more coverage. The test definition explains why the rule is related to the specific log source type. |
|
Log source types per rule |
For each rule, see which log source types each rule works for. Use this report to help you determine what log coverage you need for a specific rule or whether rules are covering less than intended. You can add the log source type test definition to this report to see how the rule is related to a specific log source. |
|
Log source types per custom property |
For each custom property referenced by a rule, show the log source types that are related to the rule. Use this report to identify the log source types that need a custom property defined. |
MITRE ATT&CK Coverage
Tactics represent the goal of an ATT&CK technique or sub-technique. For example, an adversary might want to get credential access to your network. Techniques represent how an adversary achieves their goal. For example, an adversary might dump credentials to get credential access to your network. Use the predefined templates to create or modify rules and building block mappings.
| Name | Description |
|---|---|
| MITRE ATT&CK tactics and techniques mapped to rules | Shows all tactics and their techniques that are mapped to rules. |
| Rules mapped to MITRE ATT&CK tactics and techniques | Shows all rules that are mapped to at least one tactic and view its techniques. |
Installed Content Extensions
See the list of all content extensions that are installed from the IBM Security App Exchange, and the list of rules for each of them.
| Name | Description |
|---|---|
| Content extensions installed from IBM Security App Exchange | See the list of all content extensions that are installed from IBM Security App Exchange and the list of rules for each of them. |
Recommended Non-installed Content Extensions
Content extensions update QRadar security information or add new content, such as rules, reports, searches, reference sets, and custom properties. Use the predefined templates to see how you can increase rule coverage for log sources or MITRE tactics and techniques in your environment by installing content extensions from the IBM Security App Exchange.
| Name | Description |
|---|---|
| Recommended non-installed content based on my log sources | Explore how adding new non-installed content from the IBM Security App Exchange can expand coverage based on the number of rules per log source type in each content extension. |
| Recommended non-installed content based on MITRE coverage | Explore how adding new non-installed content from the IBM Security App Exchange can expand coverage for MITRE tactics and techniques. |
| Recommended unused log sources | Explore how adding new log sources can expand coverage for use cases. |
| All non-installed content | See the list of all non-installed content extensions and their rules. The list is displayed in an ungrouped table format. |
User Behavior Analytics
User Behavior Analytics rules can help you identify potential insider threats inside your network.
| Name | Description |
|---|---|
| All User Behavior Analytics rules | For all the installed and non-installed User Behavior Analytics rules, show the risk score. |
| Installed User Behavior Analytics rules | For installed User Behavior Analytics rules, show the risk score. |
| Non-installed User Behavior Analytics rules | For non-installed content extensions, show the User Behavior Analytics rules that are available when the extensions are installed. |
Inactive Rules
Rules that don’t trigger in a certain time period might be misconfigured, and you might not be getting the most value out of your IBM QRadar deployment. Review your inactive rules for possible tuning options.
| Name | Description |
|---|---|
| Rules not active in the past week | See the list of rules that did not assign an event to an offense in the past week. |
| Rules not active since installation | See the list of rules that never assigned an event to an offense since the date they were installed in QRadar. |