Duplicating rules for further customization

Save time from creating new rules by duplicating existing rules. Then, you can customize the duplicated rules to meet the needs of your environment. For example, you might have several rules that are associated with a domain through their tests, but now you want to associate the rules with another domain. You can duplicate the rules in batch mode rather than copying each rule individually for the second domain.

Procedure

  1. On the Use Case Explorer page, click the Ungroup table rows icon to ungroup the report's table columns when the report is in the grouped mode.
    Tip: Use any of the filters, such as the rule name, tactic, or technique to find the rule you want to copy, or search by using a regular expression. You can also use the Group filter to select the group you want to search, such as authentication or compliance.
    If you're searching for text in parentheses, use the backward slash in the regular expression. For example, Multiple Login Failures from the Same Source \(Windows)\.
    Image that shows backward slash in regex for search
  2. Click the pencil icon in the report table to display checkboxes for each table row.
  3. Select the checkbox for each rule that you want to copy, and click Duplicate.
    Important: Rule grouping information is not duplicated in new rules.
  4. Change the new rule name to something meaningful to your organization.
  5. Click Save to see the status of the duplication before closing the window, or click Save and close.

What to do next

Select a duplicated rule in the Use Case Explorer page and edit it in the QRadar® rule wizard.