Filtering Rules and Building Blocks by their Properties

Rule name

Enter a specific rule name or search for it by using regular expressions.

Rule enabled

Enable or disable the appropriate rules to ensure that your system generates meaningful offenses for your environment.

Rule category

Filter by custom or anomaly detection rules in the report. Custom rules perform tests on events, flows, and offenses to detect unusual activity in your network. Anomaly detection rules perform tests on the results of saved flow or event searches as a means to detect when unusual traffic patterns occur in your network.

Group

Categorize the rules or building blocks into groups to help you efficiently view and track your rules. For example, you can view all rules that are related to compliance. Select specific groups or click Select all.

Action

Select the action that you want the rule to take when an event occurs.

Response

Select the response that you want QRadar to take when a rule is triggered.

Creation and modification dates

Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.

Note:

Enter a specific note or search for it by using regular expressions. For example, you can enter ^$ to find rules with empty notes and then add information to the note.

User Behavior Analytics rules

Filter rules on whether they are related to QRadar User Behavior Analytics. This filter displays only when the QRadar User Behavior Analytics app is installed in your QRadar deployment.

Tip:

For a rule to be considered related to QRadar User Behavior Analytics, the following conditions must be met:

• The Dispatch New Event option must be selected in the Rule Response.
• The User Behavior Analytics risk score must be set on the Rule Details page in QRadar Use Case Manager.

For more information, see Integrating new or existing QRadar content.

Rule active

Select Never to see which rules have never assigned an event to an offense since they were installed in QRadar.

Rule not active (timeframe)

The default date is in the past week. Change the time period, or choose to filter rules that aren't active since a specific date.

Test definition

Enter a specific test definition or search for it by using regular expressions.

Log source type

A rule relates to log source types if it directly references the log source type, or if it references a log source, QID, or event category that maps to the log source type. By default, you see only the log source types that are used by log sources in your QRadar environment. Click Show all types to see the log source types that you can use directly in a test or by the QID or event categories.

Log Sources

A rule relates to log sources when the log source that is referenced by a test is used in the rule. Use the search filter to find specific log sources to filter or click Select all to filter all of the log sources in the list. You can filter on the log source name or by using a regular expression. This type of search is useful when you have hundreds of thousands of log sources in your environment.

Log Source Group

A rule relates to log source groups when a log source in the log source group that is referenced by a test is used in the rule. For example, you can select sensor device as the log source group and see only rules that run tests on log sources that are part of the sensor device log source group.

Domains

A rule can work in the context of a single domain or in the context of all domains. If there is more than one domain in your environment, they are added to the filter list. Use this option to filter the domains in a multi-domain environment by each individual domain.

To add a domain column to the rule report, click the gear icon. Scroll down to the Rule tests section of the window, select Domain in the Test option list, and then click Apply.

Other tests

Hover over each checkbox label to see the specific rule tests. For example, search for a rule that references a specific value of a test, such as an IP like "Identity IP is not 0."

Tip:

• To identify source IP addresses only, add a column for Test: IP, and then a source filter in the Test definition field.

• If you have multi-tenancy, use the Domain test to distinguish rules from one tenant to another. Select the Domain filter, and then add the Domain column.

• If you're looking for custom properties or reference sets, use the predefined templates.

• If you want to see the log source types that are used or unused, select the appropriate filter. For example, the Log source coverage by rule template shows the rules that are related to log source types based on tests. Assume that 342 log source types are available in your environment. To see only the rules for log source types that are currently used (log source types that have at least one log source), select the Log source type - used filter.

Tactics

Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.

Technique

Search for techniques and their sub-techniques or select them from the list. The techniques are pre-filtered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager". Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

Mapping confidence

Indicates mappings that are assigned a specific level of confidence for rule coverage.

Mapping enabled

Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.