Export rule data in CSV, XML, or HTML formats. Use CSV format to further process rule
data or view it in Excel. Export rules in HTML format to view offline.
Use XML format so that you can import the rule data into another QRadar® deployment. Export rules with MITRE and custom rule attribute mappings.
You can also create a manifest.txt file that is added to the exported
.zip file. Export rules to a formatted HTML report that can be viewed
offline.
About this task
You must be an administrator to export rule data to XML format.Tip: Exporting
to XML is supported on QRadar 7.4.0 or later.
Procedure
- On the Use Case Explorer page, pick one of the following
methods.
- To export all the rules in the table report, click the Download
icon in the menu bar.
- To export selected rules in the table report, click the pencil icon in the report
table to display checkboxes for each table row. Then, select the relevant rules or building blocks
that you want to export, and click Export selected rules.
- To export rule data in the report to CSV format that you can further
process or view in Excel, select the first option in the Export window, and
enter a name for the CSV file.
If you want to adjust the content to export, use the
option to control column visibility and order (gear icon) on the report view.
- To export rules and their dependencies, such as custom properties and
reference sets, to an XML file for importing into another QRadar deployment, select the
second option in the Export window. By default, the
checkboxes for exporting MITRE mappings and for custom rule attribute mappings are enabled if the
rules contain the mappings. The exported files are generated concurrently in a
.zip file.
- Click Next.
- To create a manifest.txt file that is added to the exported
.zip file, select the Include manifest.txt checkbox. The
manifest file contains the extension name (mandatory), author (mandatory), description, unique ID,
version, and support email information. These fields appear in the Extensions
Management page when you import the file in another QRadar deployment.
If you export more rules and use the same extension name and unique ID in the
manifest.txt file, there is one entry in the Extensions
Management window upon import.
- To export rules to a formatted HTML report that you can view offline,
select the third option in the Export window. By default, the dependencies,
dependents, and visualizations for the selected rules are included in the exported
.zip file. Share the .zip file with colleagues or
management who don't have access to QRadar or QRadar Use Case
Manager.
The
exported HTML file includes instructions on how to use the exported report.
- Click Export.
What to do next
Use the CSV file to further investigate your rules. Share or import the XML file into
another QRadar deployment.