Topic
  • 9 replies
  • Latest Post - ‏2016-09-21T18:39:45Z by HasanGenc
SystemAdmin
SystemAdmin
276 Posts

Pinned topic Exporting/dumping a list of defined custom rules

‏2013-02-19T18:25:05Z |
I am trying to come up with a method for exporting or dumping all the defined rules that are active into a CSV or some other ASCII format.

Anybody know the db table/fields I can use to get this info?-------Posted BY Greg
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Update

    ‏2013-02-19T20:38:23Z  
    I was able to find a custom_rule table in the postgres db but the rule appears to be stored in XML format without any logical way to parse it.

    Is there any other way to export a list of the rules and definitions via the web interface that I am not finding?
    Posted By Greg
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Hi Greg, We do not have a

    ‏2013-02-20T13:45:42Z  
    Hi Greg,

    We do not have a supported way to do this at this moment. A list of default rules are provided in the tuning guide. You can raise a ticket with the support group to request this Feature.

    In the mean time, if you have a specific requirement for this feature, our professional services group might be able to help you implementing this through custom scripting.

    Regards,

    Vinay
    Posted By Vinay Sukumar
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: why?

    ‏2013-02-21T10:39:54Z  
    What's the goal of dumping the rules? I'm not saying you shouldn't do it, just that it could matter what format the dump is in depending on how you want to use it. Some use cases that come to mind:
    • Testing new rules in "dev" and then exporting to "production"
    • Backups for disaster recovery purposes
    • Editing rules "in bulk" with a script or similar tool, working on the exported data which you would the reimport.

    Posted By travis.mcwaters
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Audit

    ‏2013-02-22T14:42:24Z  
    All those are valid options, however you are missing the most simple. Handing a list of rules and what we trigger off to auditors.
    Posted By Greg
  • SystemAdmin
    SystemAdmin
    276 Posts

    Re: Found a method.

    ‏2013-02-22T14:44:12Z  
    Ran the following to dump the rules from the DB

    echo "COPY (SELECT rule_data FROM custom_rule) TO STDOUT with CSV HEADER" | psql -U qradar -o Rules.csv qradar;

    Then ran it through an ugly (sorry haven't go back to clean up yet) script to parse out all the crap, this will dump, the Rule Name, Groups, If it is enabled and the rule definition.

    perl -nle 'my @enabled = /(?<=enabled="").*?(?<=\"\")/g;chop(@enabled);chop(@enabled);chomp(@enabled);my @group = /(?<=group="").*?(?<=\"\")/g;chop(@group);chop(@group);chomp(@group);my @name = /(?<=<name>).*?(?=<\/name>)/g;chomp(@name);my @text = /(?<=<text>).*?(?=<\/text>)/g;chomp(@text);print "@enabled;@group;@name;@text"' Rules.csv|sed 's/\&lt\;/</g'|sed 's/\&gt\;/>/g' | sed -e 's/<^>>*>//g' -e '/ *$/d' > Rules2.csv

    Posted By Greg
  • NRox
    NRox
    1 Post

    Re: Exporting/dumping a list of defined custom rules

    ‏2013-04-24T16:41:51Z  

    Try the following:

    psql -U qradar -A -c "select rule_data from custom_rule" | grep "^<?xml" | sed -e 's/<notes\/>/<notes><\/notes>/' -e 's/.*<name>\(.*\)<\/name><notes>\(.*\)<\/notes>.*/"\1","\2"/' | sort > rules.csv 

  • Asadz
    Asadz
    20 Posts

    Re: Found a method.

    ‏2014-01-10T20:43:09Z  
    Ran the following to dump the rules from the DB

    echo "COPY (SELECT rule_data FROM custom_rule) TO STDOUT with CSV HEADER" | psql -U qradar -o Rules.csv qradar;

    Then ran it through an ugly (sorry haven't go back to clean up yet) script to parse out all the crap, this will dump, the Rule Name, Groups, If it is enabled and the rule definition.

    perl -nle 'my @enabled = /(?<=enabled="").*?(?<=\"\")/g;chop(@enabled);chop(@enabled);chomp(@enabled);my @group = /(?<=group="").*?(?<=\"\")/g;chop(@group);chop(@group);chomp(@group);my @name = /(?<=<name>).*?(?=<\/name>)/g;chomp(@name);my @text = /(?<=<text>).*?(?=<\/text>)/g;chomp(@text);print "@enabled;@group;@name;@text"' Rules.csv|sed 's/\&lt\;/</g'|sed 's/\&gt\;/>/g' | sed -e 's/<^>>*>//g' -e '/ *$/d' > Rules2.csv

    Posted By Greg

    I have got the same exact requirements, but unable to comply when I RUN above command its gives me empty Rules2.csv file? Any chance anyone running this command. Thanks.

     

    Also, verification on last part of sed is it, (crossed makes it confusing).

    sed -e 's/<*>//g' -e '/ *$/d' >

    Right?

  • AARYEHS
    AARYEHS
    3 Posts

    Re: Exporting/dumping a list of defined custom rules

    ‏2015-11-09T22:54:32Z  

    Need help.

    Ours is a multi-tenancy QRadar console where multiple customers get on-boarded.

    We have already created close to 80 rules with Customer A domain as the 1st rule condition.

    Now, we have to create the same 80 rules with Customer B domain. Is there any easy way to just remove Customer A name (say in some XML file) and input Customer B name?

    Once we do this, we need to do the same for Customer C, D, E etc.

  • HasanGenc
    HasanGenc
    3 Posts

    Re: Exporting/dumping a list of defined custom rules

    ‏2016-09-21T18:39:45Z  

    Hello,

    I tried to export custom rules and look into column options. But there is no "Rule - Assign Group" xml field. Did you know or find out any psql parameter or rule_export table?

    have a nice day