Investigating detection rules

Edit online

Investigate detection rules by filtering different properties. Detection rules support data source coverage and MITRE ATT&CK coverage and mapping. Determine which rules that you might need to edit in IBM® Detection and Response Center or search in IBM Security Data Explorer.

Before you begin

To access QRadar® rules, you must be connected to QRadar through the IBM QRadar Proxy app.

You must also have IBM QRadar Use Case Manager 3.2.0 or later installed in your QRadar environment so that the Detection and Response Center can retrieve the QRadar rules.
Tip: If you don't use QRadar, or you can't immediately set up a QRadar connection, you can still work with Sigma community rules.

Procedure

  1. Go to Menu > Detection and Response Center.
  2. On the Detection tab, from the report menu bar, click More options > View template, and pick a template. The default template for the Detection rules shows the Sigma rules and the QRadar, if QRadar is connected.
  3. Filter the rules by source and format, rule attributes, QRadar rule attributes, or MITRE ATT&CK tactics and techniques. For more information, see Detection rule properties.
    Tip: The more filters that you apply to the rules, the more fine-tuned the list of results you get. The Detection and Response Center uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon). As you select filters, the unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker colored background.
  4. To find a rule with a specific name, filter on the name attribute by using a regular expression.
  5. Customize the report presentation to make it easier to investigate your rules. To modify the column settings, click More options > Manage columns.
    1. Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
      Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.
    2. In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
    3. Click Apply.
  6. To investigate details for a specific rule, select the rule name to open the rule details page. The rule details page contains sections for common rule attributes, test definitions, source-specific rule attributes, such as the version of a Sigma rule, and MITRE ATT&CK attributes.
    Tips:
    • To run a STIX pattern for a Sigma community rule, click Search in Data Explorer (magnifying glass icon).
    • To see more details about a Sigma community rule in GitHub, click External link.

What to do next

Exporting rules