Content extensions update IBM®
QRadar® security information or
add new content such as rules, reports, searches, reference sets, and custom properties. Filter the
rule report by content extensions to see how you can increase rule coverage for log sources or MITRE
tactics and techniques in your environment by installing content extensions from the IBM Security
App Exchange.
About this task
The IBM
QRadar Use Case Manager app
automatically syncs with QRadar
each day at midnight. After you install a content extension from the IBM Security
App Exchange, the Use Case
Explorer page is refreshed with data within 15 minutes. Or you can immediately sync the
rule coverage with QRadar by going
to the configuration page and clearing the cache for the app.Tip: You can use predefined
templates to see recommended content extensions to install or currently installed extensions, or
manually filter your report results by content extension attributes. Predefined templates are
available through the template icon on the menu bar of the rule report. Select the template you'd
like to use from the categories in the template filter list.
Procedure
- On the Use Case Explorer page, go to the filters in the
Content extension attributes section. By default, the QRadar Use Case
Manager app filters on the
installed content extensions in your environment.
- To include any IBM-created content extensions that are not installed in your environment in your search, select the
Include non-installed content extensions checkbox.
- To filter only the content extensions that are not installed in your environment,
select Include non-installed content extensions and then select
Include only non-installed content extensions.
- Filter by specific content extension name from a list of currently installed extensions
or the ones that aren't yet installed in your environment.
- Filter by specific content extension categories from the IBM Security
App Exchange.
- Add the following columns to the rule report as needed: Content extension:
Content extension name, Content extension: Content category, and
Rule attributes: Rule installed. If you don't immediately see the columns in
the report, ungroup the table rows.
Tip: Any content extensions in the report that aren't installed in your environment are
indicated in the
Rule name column by a
Missing content
icon. Hover over each icon to see which content extension can provide the missing rules.
- To see details about a rule that is not currently installed, click the rule name.
Exploring the rule details helps you determine whether the rule can add important coverage in your
environment, and then you can download the content extension that contains the rule.
- To customize how the table rows are grouped, click the Configure
grouping arrow icon on the tree structure icon ().
- Select the columns that you want to group by selecting the corresponding checkbox.
Only groupable columns that are currently listed in the report are shown, in the order in which they
appear in the report.
As you make your selections, a sample of what the report
looks like displays in the Configure options for grouping rows
window.
- To show only the number of child rows in the report, select the corresponding
checkbox.
- Make your selections and then click Apply.
- To download the content extension, click the link in the Content extension
name column to go to the extension's page in the IBM Security
App Exchange. If IBM
QRadar Assistant 2.0.0 app is
installed in your QRadar
deployment, you can download the content extension from there.
- To clear the report results, click Clear filters, choose new
filters in the left pane, and then click Apply filters to display new
results.
Results
After you install new content extensions, the Use Case
Explorer page refreshes the data within 15 minutes.