Investigating your rules
Investigate your rules by filtering different properties. Determine which rules you might need to edit in IBM® Detection and Response Center or search in Data Explorer.
See the system requirements and information about setting up QRadar® connections in Accessing Detection and Response Center.
Before you begin
Follow the suggested workflow for investigating your rules.
About this task
- From the report menu bar, click the list icon and pick a template. The default template shows the rules that are available from IBM QRadar and the Sigma community.
- Filter the rules by source and origin, rule attributes, QRadar rule attributes, or MITRE ATT&CK tactics and techniques. For more information, see Filtering rules by their properties.
- To find a rule with a specific name, filter on the name attribute by using a regular expression.
- Customize the report presentation to make it easier to investigate your rules. To modify
the column settings, click the gear icon.
- Search or scroll down the window to find the column that you want to add to the report
and select the relevant checkbox. Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.
- In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
- Click Apply.
- Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
- To investigate details for a specific rule, select the rule name to open the rule details
page. The rule details page contains sections for common rule attributes, test definitions, and
source-specific rule attributes, such as the author of a Sigma community rule. Tips:
- To run a STIX pattern for a Sigma community rule, click Search in Data Explorer.
- To see more details about a Sigma community rule in GitHub, click External link.
- Visualize your rules after you organize the report data.
Filtering rules by their properties