Filtering rules by their properties

Filter your rules to fine-tune the report results. Examine your MITRE ATT&CK coverage by filtering your rules based on their mappings to tactics and techniques. IBM® QRadar rules can be modified in QRadar® or QRadar Use Case Manager.

1. On the IBM Detection and Response Center page, select from the filters in the Rule source and origin section. You can filter by using the following properties:

   Rule source

   QRadar rules are applied to events, flows, or offenses to search for or detect anomalies in QRadar.

   Rules from the Sigma community are enhanced by STIX patterns. Sigma rules are used by Threat Investigator. You can also run the STIX patterns in Data Explorer.

   Origin

   Filter by the type of rule.

   • System indicates a default rule.
   • Customized system rule indicates that a default rule was customized.
   • User indicates a user-created rule.

   Support rule format

   Each rule format is supported by certain product applications. The rule format determines the purpose of the rule and what part of the product supports the rule. For example, you might be interested in what Threat Investigator is using, or what library you have available to run in Data Explorer (STIX).

2. Select filters from the Rule attributes section. You can filter by using the following properties:

   Rule name

   Enter a specific rule name or search for it by using regular expressions.

   Rule enabled

   See which rules are enabled or disabled to ensure that your system generates meaningful offenses for your environment.

   Creation and modification dates

   Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.

   Test definition

   Enter a specific test definition or search for it by using regular expressions.

3. Select filters from the QRadar rule attributes section.

   Rule or Building Block (BB)

   A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense.

   Building blocks group commonly used tests to build complex logic so that they can be used in rules. Building blocks use the same tests that rules use, but have no actions that are associated with them.

   Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test. Click the gear icon in the report menu bar to configure more columns.

4. Select from the filters in the MITRE ATT&CK section. The following options are available to filter:

   Tactic

   Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.

   Technique

   Search for techniques and their sub-techniques or select them from the list. The techniques are prefiltered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

   Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager." Sub-techniques provide a more specific description of the behavior an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

   Mapping confidence

   Indicates mappings that are assigned a specific level of confidence for rule coverage.

   Mapping enabled

   Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.

5. To clear the report results, click Clear filters, choose new filters in the left pane, and then click Apply filters to display new results.