Save time from creating new rules by duplicating existing rules. Then, you can customize
the duplicated rules to meet the needs of your environment. For example, you might have several
rules that are associated with a domain through their tests, but now you want to associate the rules
with another domain. You can duplicate the rules in batch mode rather than copying each rule
individually for the second domain.
Procedure
- On the Use Case Explorer page, click the Ungroup table
rows icon to ungroup the report's table columns when the report is in the grouped
mode.
Tip: Use any of the filters, such as the rule name, tactic, or technique to find the
rule you want to copy, or search by using a regular expression. You can also use the
Group filter to select the group you want to search, such as authentication
or compliance.
If you're searching for text in parentheses, use the backward slash in the regular
expression. For example,
Multiple Login Failures from the Same Source
\(Windows)\
.
- Click the pencil icon in the report table to display checkboxes for each table
row.
- Select the checkbox for each rule that you want to copy, and click
Duplicate.
Important: Rule grouping information is not duplicated in new rules.
- Change the new rule name to something meaningful to your organization.
- Click Save to see the status of the duplication before closing the
window, or click Save and close.
What to do next
Select a duplicated rule in the Use Case Explorer page and edit it in
the QRadar® rule wizard.