Investigating your rules

Investigate your rules by filtering different properties. Determine which rules you might need to edit in IBM® Detection and Response Center or search in Data Explorer.

Before you begin

See the system requirements and information about setting up QRadar® connections in Accessing Detection and Response Center.

About this task

Follow the suggested workflow for investigating your rules.


  1. From the report menu bar, click the list icon and pick a template. The default template shows the rules that are available from IBM QRadar and the Sigma community.
  2. Filter the rules by source and origin, rule attributes, QRadar rule attributes, or MITRE ATT&CK tactics and techniques. For more information, see Filtering rules by their properties.
  3. To find a rule with a specific name, filter on the name attribute by using a regular expression.
  4. Customize the report presentation to make it easier to investigate your rules. To modify the column settings, click the gear icon.
    1. Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
      Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.
    2. In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
    3. Click Apply.
  5. To investigate details for a specific rule, select the rule name to open the rule details page. The rule details page contains sections for common rule attributes, test definitions, and source-specific rule attributes, such as the author of a Sigma community rule.
    • To run a STIX pattern for a Sigma community rule, click Search in Data Explorer.
    • To see more details about a Sigma community rule in GitHub, click External link.
  6. Visualize your rules after you organize the report data.

What to do next

Filtering rules by their properties