Investigating your rules

Investigate your rules by filtering different properties. Determine which rules you might need to edit in IBM® Detection and Response Center or search in Data Explorer.

1. From the vertical overflow menu on the report menu bar, click tView presets and pick one. The default preset shows the rules that are available from IBM QRadar and the Sigma community.
2. Filter the rules by source and origin, rule attributes, QRadar rule attributes, or MITRE ATT&CK tactics and techniques. For more information, see Filtering rules by their properties.
3. To find a rule with a specific name, filter on the name attribute by using a regular expression.
4. Customize the report presentation to make it easier to investigate your rules. To modify the column settings, go to the vertical overflow menu and click Manage columns.
   1. Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
      Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.
   2. In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
   3. Click Apply.
5. To investigate details for a specific rule, select the rule name to open the rule details page. The rule details page contains sections for common rule attributes, test definitions, and source-specific rule attributes, such as the author of a Sigma community rule.
   Tips:

   • To run a STIX pattern for a Sigma community rule, click Run query in Data Explorer.
   • To see more details about a Sigma community rule in GitHub, click Sigma community external link.
6. Visualize your rules after you organize the report data.