Investigating QRadar rules and building blocks

Investigate your rules by filtering different properties to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in IBM® QRadar® or investigate further in the IBM QRadar Use Case Manager app.

1. Go to the Use Case Explorer page, click the list icon, and pick a template to use.
2. Filter rules and building blocks by attributes, activity, tests, MITRE ATT&CK tactics and techniques, or content extension attributes.
3. To find the rule you want to edit or search, filter on the rule name, tactic, or technique by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
   If you're searching for text in parentheses, use the backward slash in the regular expression. For example, Multiple Login Failures from the Same Source \(Windows)\.

   
4. To create rules, click the plus sign icon and select either Event or Flow or Offense to open the rule wizard.
   It might take several minutes for the new rule to appear in the report. To see the new rule immediately, click the Refresh icon in the report menu bar.
5. Customize the report presentation to make it easier to investigate the rules and building blocks.
   
6. To investigate an individual rule or building block, make sure that the report table is ungrouped. Then, select the rule name to open the rule investigation page, which provides details about the rule or building block you selected.
7. To investigate multiple rules or building blocks simultaneously, click the pencil icon in the report table to display checkboxes for each table row. Select the relevant rules or building blocks that you want to edit, and then click Open in rule wizard.
   Important:

   On QRadar 7.4.1 Fix Pack 2 or later, you can change the date range for the trend of the selected rule in the Offense creation by current rule in a certain time chart. The date range defaults back to the filtered date range (1 month) when you close and reopen the rule.

   On QRadar 7.3.3, the default date range is 3 days and cannot be edited.

8. To enable or disable rules, make sure that the Rule enabled column is visible in the report, and then switch the toggle to On or Off.
   Important: You cannot disable an enabled rule if it has dependents. You cannot enable a rule if it has any disabled or noninstalled dependencies. A list of dependents or dependencies is available for review in the warning messages.
9. Edit MITRE mappings for rules or building blocks. For more information, see Editing MITRE mappings in a rule or building block.
10. To add custom rule attributes to the selected rule or building block, follow these steps:
    1. Click Open in rule wizard on the report menu bar.
    2. In the center pane of the screen, expand the Custom attributes section.
    3. If no custom attributes are currently added to the rule, click the plus sign icon and select the checkbox for each relevant attribute and value. Then, click Save and apply.
       Tip: You can also define new custom attributes in this window.
    4. If you want to add more values to the custom attributes already added to the rule, click the plus sign icon for the attribute and select values from the list.
       Tip: You can also define new custom attribute values in this window.
    5. Close the wizard.
       Tip: To fully manage custom rule attributes and their values, such as editing or deleting, go to Settings > Custom Rule Attributes.
11. To investigate QRadar User Behavior Analytics rules, see Investigating user behavior analytics rules.
12. Visualize your rules and building blocks after you organize the report data.
13. Export the report as a CSV or XML file to share with others.
14. Export the MITRE mappings as a JSON file to share with others.