In IBM
QRadar Risk Manager, you can
search for rules that changed on the devices in your topology. You can also discover rule changes
that occur between device configuration backups.
The results that are returned for a rule search are based on the Configuration Monitor backup of
your device. To ensure that rule searches provide up-to-date information, schedule device backups in
your firewall policy update page.
Procedure
- Click the Risks tab.
- In the navigation pane, click Configuration Monitor.
-
Double-click a device from the Configuration Monitor page.
- On the Rules pane toolbar, click .
-
In the Search Criteria area, click a time range.
- To search your device rules, choose from the following options:
| Search filter |
Description |
| Shadowed, Deleted, or
Other rule status |
Click a status option. By default, all status options are enabled. To search for shadow
rules only, clear the Deleted and Other
options.
|
| Access control list (ACL) |
Type in the List field. |
| Order number |
Type a numeric value in the Entry field. |
| Source or destination |
Type an IP address, CIDR address, hostname, or object group reference. |
| Ports or object group references |
Type in the Service field. The service can include port ranges,
such as 100-200, or port expressions, such as 80(TCP). If the port is negated, the port information
also includes an exclamation mark and might be surrounded by parenthesis. For example, the negated
port information might look like !(100-200) or !80(TCP).
|
| Vulnerability rule information |
For information defined by the IPS device, type in the Signature
field. |
| Applications by adapter |
Click Select Applications, then type an adapter or application
name. |
- Click Search.