Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Filtering Rules and Building Blocks by their Properties

If you want to filter by MITRE ATT&CK tactics, you must first map your rules to MITRE tactics and techniques. For more information, see Editing MITRE Mappings in a Rule or Building Block.

Tune your rules or building blocks by filtering their attributes, such as type, origin, group, and many more. You can also tune rules or building blocks by filtering them based on their test definitions. For example, you can add a test that matches only events from a specific log source. Examine and improve your MITRE ATT&CK coverage by filtering your rules based on their mappings to tactics and techniques.

The more filters that you apply to the rules, the more fine-tuned the list of results you get. QRadar Use Case Manager uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. The only exception to the rule is in the Other tests filter group, where the AND condition is used for multiple options of that filter group. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon).

As you select filters, the unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker color background.

  1. On the Use Case Explorer page, select from the filters in the Rule attributes section. The following list describes some of the rule attributes you can filter and how to use them:

    Rule name

    Enter a specific rule name or search for it by using regular expressions.

    Rule enabled

    Enable or disable the appropriate rules to ensure that your system generates meaningful offenses for your environment.

    Rule category

    Filter by custom or anomaly detection rules in the report. Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network. Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network.


    Categorize the rules or building blocks into groups to help you efficiently view and track your rules. For example, you can view all rules that are related to compliance. Select specific groups or click Select all.


    Select the action that you want the rule to take when an event occurs.


    Select the response that you want QRadar to take when a rule is triggered.

    Creation and modification dates

    Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.


    Enter a specific note or search for it by using regular expressions. For example, you can enter ^$ to find rules with empty notes and then add information to the note.

    User Behavior Analytics rules

    Filter rules on whether they are related to QRadar User Behavior Analytics. This filter displays only when the QRadar User Behavior Analytics app is installed in your QRadar deployment.


    For a rule to be considered related to QRadar User Behavior Analytics, the following conditions must be met:

    • The Dispatch New Event option must be selected in the Rule Response.
    • The User Behavior Analytics risk score must be set on the Rule Details page in QRadar Use Case Manager.

    For more information, see Integrating new or existing QRadar content.

  2. Select from the filters in the Rule activity section. Filtering for inactive rules is supported on QRadar 7.4.1 or later.

    Rule active

    Select Never to see which rules have never assigned an event to an offense since they were installed in QRadar.

    Rule not active (timeframe)

    The default date is in the past week. Change the time period, or choose to filter rules that aren't active since a specific date.

  3. Select from the filters in the Rule tests section. The following list describes some of the rule tests you can filter:

    Test definition

    Enter a specific test definition or search for it by using regular expressions.

    Log source type

    A rule relates to log source types if it directly references the log source type, or if it references a log source, QID, or event category that maps to the log source type. By default, you see only the log source types that are used by log sources in your QRadar environment. Click Show all types to see the log source types that you can use directly in a test or by the QID or event categories.

    Log Sources

    A rule relates to log sources when the log source that is referenced by a test is used in the rule. Use the search filter to find specific log sources to filter or click Select all to filter all of the log sources in the list. You can filter on the log source name or by using a regular expression. This type of search is useful when you have hundreds of thousands of log sources in your environment.

    Log Source Group

    A rule relates to log source groups when a log source in the log source group that is referenced by a test is used in the rule. For example, you can select sensor device as the log source group and see only rules that run tests on log sources that are part of the sensor device log source group.


    A rule can work in the context of a single domain or in the context of all domains. If there is more than one domain in your environment, they are added to the filter list. Use this option to filter the domains in a multi-domain environment by each individual domain.

    To add a domain column to the rule report, click the gear icon. Scroll down to the Rule tests section of the window, select Domain in the Test option list, and then click Apply.

    Other tests

    Hover over each checkbox label to see the specific rule tests. For example, search for a rule that references a specific value of a test, such as an IP like "Identity IP is not 0."

    • To identify source IP addresses only, add a column for Test: IP, and then a source filter in the Test definition field.

    • If you have multi-tenancy, use the Domain test to distinguish rules from one tenant to another. Select the Domain filter, and then add the Domain column.

    • If you're looking for custom properties or reference sets, use the predefined templates.

    • If you want to see the log source types that are used or unused, select the appropriate filter. For example, the Log source coverage by rule template shows the rules that are related to log source types based on tests. Assume that 342 log source types are available in your environment. To see only the rules for log source types that are currently used (log source types that have at least one log source), select the Log source type - used filter.

  4. Select from the filters in the MITRE ATT&CK section. The following options are available to filter:


    Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.


    Search for techniques and their sub-techniques or select them from the list. The techniques are pre-filtered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

    Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager". Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

    Mapping confidence

    Indicates mappings that are assigned a specific level of confidence for rule coverage.

    Mapping enabled

    Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.

  5. If you have many log sources in your environment, you can search for specific ones by using the Search field in the Filters pane and then select them to fine-tune the report. This search can make it easier to find a specific filter in the large list of filters and log sources.
  6. To filter content extension attributes, follow the steps in Identifying Gaps in QRadar Rule Coverage from Content Extensions.
  7. To clear the report results, click Clear filters, choose new filters in the left pane, and then click Apply filters to display new results.