IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 2 replies
  • Latest Post - ‏2014-08-15T13:56:30Z by Mark_Walborn
Sunil.Nishankar
Sunil.Nishankar
6 Posts

Pinned topic How to export all existing rules by using postgres command line

‏2014-05-19T16:17:23Z | postgres rules

Hi,

 

I want to export all rules including default rules and custom rules by using postgres command line mode, please guide me how to do this.

 

Thanks

Sunil

  • Nikodim
    Nikodim
    11 Posts

    Re: How to export all existing rules by using postgres command line

    ‏2014-05-21T08:29:19Z  

    IBM marketing materials says that "QRadar SIEM, QRadar Log Manager and QRadar Network Anomaly Detection support exporting and importing of correlation rules, report templates and other expert content, enabling greater collaboration and innovation."

    http://www-03.ibm.com/security/cloud/products.html

    Unfortunately this is not true. Exporting and importing of security context is not officially supported. 

    In postgres DB rules are stored in XML format in a table custom_rule (select * from qradar.public.custom_rule).

    You can also take a look here: https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014968476&ps=25

  • Mark_Walborn
    Mark_Walborn
    2 Posts

    Re: How to export all existing rules by using postgres command line

    ‏2014-08-15T13:56:30Z  

    Extract rules with

    echo "COPY (SELECT rule_data FROM custom_rule) TO STDOUT with CSV HEADER" | psql -U qradar -o Rules.csv qradar;

     

    The above leaves the rules with a lot of xml tagging... Use the attached python script to clean up the file.. You can then open in your favorite spreadsheet software to review

    python rulesparse.py "name from Above" >Rules.tsv




    This will export all the rules in Tab Separated Values

    Attachments