Deleting Yara rules

You can delete all existing Yara rules from IBM QRadar Incident Forensics. You upload a file that contains a single empty rule to turn off Yara rules.

Before you begin

Procedure

  1. To create a new file that contains a single empty rule, use the following steps:
    1. Copy the following rule into a text editor of your choice: 
      rule empty 
{
	condition: 
           false
}
    2. Save as a text file.
  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. Select Suspect Content Management.
  4. Click Select File.
  5. In the File Upload window, browse to the file you created in Step 1 and click Open.
  6. Click Save.

Results

The single rule always returns a false result, which allows it to pass the validator. The single rule deletes all existing rules, and is inserted into the database. The single rule never flags content as suspicious.