Pinned topic Exporting/dumping a list of defined custom rules
Anybody know the db table/fields I can use to get this info?-------Posted BY Greg
Re: Update2013-02-19T20:38:23ZThis is the accepted answer. This is the accepted answer.I was able to find a custom_rule table in the postgres db but the rule appears to be stored in XML format without any logical way to parse it.
Is there any other way to export a list of the rules and definitions via the web interface that I am not finding?
Posted By Greg
Re: Hi Greg, We do not have a2013-02-20T13:45:42ZThis is the accepted answer. This is the accepted answer.Hi Greg,
We do not have a supported way to do this at this moment. A list of default rules are provided in the tuning guide. You can raise a ticket with the support group to request this Feature.
In the mean time, if you have a specific requirement for this feature, our professional services group might be able to help you implementing this through custom scripting.
Posted By Vinay Sukumar
Re: why?2013-02-21T10:39:54ZThis is the accepted answer. This is the accepted answer.What's the goal of dumping the rules? I'm not saying you shouldn't do it, just that it could matter what format the dump is in depending on how you want to use it. Some use cases that come to mind:
Testing new rules in "dev" and then exporting to "production"
Backups for disaster recovery purposes
Editing rules "in bulk" with a script or similar tool, working on the exported data which you would the reimport.
Posted By travis.mcwaters
- Testing new rules in "dev" and then exporting to "production"
Re: Audit2013-02-22T14:42:24ZThis is the accepted answer. This is the accepted answer.All those are valid options, however you are missing the most simple. Handing a list of rules and what we trigger off to auditors.
Posted By Greg
Re: Found a method.2013-02-22T14:44:12ZThis is the accepted answer. This is the accepted answer.Ran the following to dump the rules from the DB
echo "COPY (SELECT rule_data FROM custom_rule) TO STDOUT with CSV HEADER" | psql -U qradar -o Rules.csv qradar;
Then ran it through an ugly (sorry haven't go back to clean up yet) script to parse out all the crap, this will dump, the Rule Name, Groups, If it is enabled and the rule definition.
perl -nle 'my @enabled = /(?<=enabled="").*?(?<=\"\")/g;chop(@enabled);chop(@enabled);chomp(@enabled);my @group = /(?<=group="").*?(?<=\"\")/g;chop(@group);chop(@group);chomp(@group);my @name = /(?<=<name>).*?(?=<\/name>)/g;chomp(@name);my @text = /(?<=<text>).*?(?=<\/text>)/g;chomp(@text);print "@enabled;@group;@name;@text"' Rules.csv|sed 's/\<\;/</g'|sed 's/\>\;/>/g' | sed -e 's/<
^> >*>//g' -e '/ *$/d' > Rules2.csv
Posted By Greg
NRox 2700063BDB1 Post
Re: Exporting/dumping a list of defined custom rules2013-04-24T16:41:51ZThis is the accepted answer. This is the accepted answer.
Try the following:
psql -U qradar -A -c "select rule_data from custom_rule" | grep "^<?xml" | sed -e 's/<notes\/>/<notes><\/notes>/' -e 's/.*<name>\(.*\)<\/name><notes>\(.*\)<\/notes>.*/"\1","\2"/' | sort > rules.csv
Asadz 2700066N0Q20 Posts
Re: Found a method.2014-01-10T20:43:09ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
I have got the same exact requirements, but unable to comply when I RUN above command its gives me empty Rules2.csv file? Any chance anyone running this command. Thanks.
Also, verification on last part of sed is it, (crossed makes it confusing).
sed -e 's/<
*>//g' -e '/ *$/d' >
AARYEHS 270007D1W23 Posts
Re: Exporting/dumping a list of defined custom rules2015-11-09T22:54:32ZThis is the accepted answer. This is the accepted answer.
Ours is a multi-tenancy QRadar console where multiple customers get on-boarded.
We have already created close to 80 rules with Customer A domain as the 1st rule condition.
Now, we have to create the same 80 rules with Customer B domain. Is there any easy way to just remove Customer A name (say in some XML file) and input Customer B name?
Once we do this, we need to do the same for Customer C, D, E etc.
HasanGenc 310000MQVX3 Posts
Re: Exporting/dumping a list of defined custom rules2016-09-21T18:39:45ZThis is the accepted answer. This is the accepted answer.
I tried to export custom rules and look into column options. But there is no "Rule - Assign Group" xml field. Did you know or find out any psql parameter or rule_export table?
have a nice day