Investigating detection rules
Investigate detection rules by filtering different properties. Detection rules support data source coverage and MITRE ATT&CK coverage and mapping. Determine which rules that you might need to edit in IBM® Detection and Response Center or search in IBM Security Data Explorer.
Before you begin
To access QRadar® rules, you must be connected to QRadar through the IBM QRadar Proxy app.
- Go to .
- On the Detection tab, from the report menu bar, click , and pick a template. The default template for the Detection rules shows the Sigma rules and the QRadar, if QRadar is connected.
- Filter the rules by source and format, rule attributes, QRadar rule attributes, or MITRE ATT&CK tactics and
techniques. For more information, see Detection rule properties. Tip: The more filters that you apply to the rules, the more fine-tuned the list of results you get. The Detection and Response Center uses the OR condition within the options of one filter group, and uses the AND condition across multiple groups of filters. Any column that you can filter on can also be added to the rule report through the column selection feature (gear icon). As you select filters, the unapplied filter tags appear in the filters row with a lighter colored background. After you apply the filters, the tags change to a darker colored background.
- To find a rule with a specific name, filter on the name attribute by using a regular expression.
- Customize the report presentation to make it easier to investigate your rules. To modify
the column settings, click .
- Search or scroll down the window to find the column that you want to add to the report
and select the relevant checkbox. Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.
- In the Selected columns section of the window, drag the columns in the order that you want them displayed in the report.
- Click Apply.
- Search or scroll down the window to find the column that you want to add to the report and select the relevant checkbox.
- To investigate details for a specific rule, select the rule name to open the rule details
page. The rule details page contains sections for common rule attributes, test definitions,
source-specific rule attributes, such as the version of a Sigma rule, and MITRE ATT&CK
- To run a STIX pattern for a Sigma community rule, click Search in Data Explorer (magnifying glass icon).
- To see more details about a Sigma community rule in GitHub, click External link.