Exporting rules

Export rule data in CSV, XML, or HTML formats. Use CSV format to further process rule data or view it in Excel. Export rules in HTML format to view offline. Use XML format so that you can import the rule data into another QRadar® deployment. Export rules with MITRE and custom rule attribute mappings. You can also create a manifest.txt file that is added to the exported .zip file. Export rules to a formatted HTML report that can be viewed offline.

About this task

You must be an administrator to export rule data to XML format.
Tip: Exporting to XML is supported on QRadar 7.4.0 or later.

Procedure

  1. On the Use Case Explorer page, pick one of the following methods.
    1. To export all the rules in the table report, click the Download icon in the menu bar.
    2. To export selected rules in the table report, click the pencil icon in the report table to display checkboxes for each table row. Then, select the relevant rules or building blocks that you want to export, and click Export selected rules.
  2. To export rule data in the report to CSV format that you can further process or view in Excel, select the first option in the Export window, and enter a name for the CSV file.
    If you want to adjust the content to export, use the option to control column visibility and order (gear icon) on the report view.
  3. To export rules and their dependencies, such as custom properties and reference sets, to an XML file for importing into another QRadar deployment, select the second option in the Export window. By default, the checkboxes for exporting MITRE mappings and for custom rule attribute mappings are enabled if the rules contain the mappings. The exported files are generated concurrently in a .zip file.
    1. Click Next.
    2. To create a manifest.txt file that is added to the exported .zip file, select the Include manifest.txt checkbox. The manifest file contains the extension name (mandatory), author (mandatory), description, unique ID, version, and support email information. These fields appear in the Extensions Management page when you import the file in another QRadar deployment.
      If you export more rules and use the same extension name and unique ID in the manifest.txt file, there is one entry in the Extensions Management window upon import.
    Tip: You import the XML file as a content extension in another QRadar deployment. For more information, see Installing extensions by using Extensions Management.
  4. To export rules to a formatted HTML report that you can view offline, select the third option in the Export window. By default, the dependencies, dependents, and visualizations for the selected rules are included in the exported .zip file. Share the .zip file with colleagues or management who don't have access to QRadar or QRadar Use Case Manager.
    The exported HTML file includes instructions on how to use the exported report.
  5. Click Export.

What to do next

Use the CSV file to further investigate your rules. Share or import the XML file into another QRadar deployment.