Detection rule properties

Detection rules support data source coverage and MITRE ATT&CK coverage and mapping.

Rule source and format

Property Description
Rule source QRadar® rules are applied to events, flows, or offenses to search for or detect anomalies in QRadar.

Rules from the Sigma community are enhanced by STIX patterns. Sigma rules are used by Threat Investigator. You can also run the STIX patterns in Data Explorer.

IBM provides content correlation rules that are used by the system to enrich alerts with additional severity information and to correlate the enriched alerts when needed.

  • System indicates a default rule.
  • Override indicates that a default rule was customized.
  • User indicates a user-created rule.
Supported rule format Each rule format is supported by certain product applications. The rule format determines the purpose of the rule and what part of the product supports the rule. For example, you might be interested in what Threat Investigator is using, or what library you have available to run in Data Explorer (STIX).

Rule attributes

Property Description
Rule name Enter a specific rule name or search for it by using regular expressions.
Rule description Filter the rule description by using regular expressions.
Rule enabled See which rules are enabled or disabled to ensure that your system generates meaningful offenses for your environment.
Creation and modification dates Use the date filters to see what changed during the last week, or to see rules that were modified. The modification date shows the rules that were modified but not the modified content of the rules.
Test definition Enter a specific test definition or search for it by using regular expressions.

QRadar rule attributes

Property Description
Rule or Building Block (BB) A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense.
Building blocks group commonly used tests to build complex logic so that they can be used in rules. Building blocks use the same tests that rules use, but have no actions that are associated with them.
Tip: You can add other QRadar rule attributes to the report display, such as rule category, group, log source type, or test.


Property Description
Tactic Select tactics from the list. For example, an Initial Access tactic is used by adversaries who are trying to get into your network.
Technique Search for techniques and their sub-techniques or select them from the list. The techniques are prefiltered to match the selected tactic. For example, an Account Discovery technique occurs when adversaries attempt to get a list of your local system or domain accounts.

Sub-techniques are identified by a dot in the ID, such as "T1003.002 Security Account Manager." Sub-techniques provide a more specific description of the behavior that an adversary uses to achieve their goal. For example, an adversary might dump credentials by accessing the Local Security Authority (LSA) Secrets.

Mapping confidence Indicates mappings that are assigned a specific level of confidence for rule coverage.
Mapping enabled Indicates for each rule whether the mapping between the tactic or technique and rules is turned on. Mappings that are not enabled are not added to the technique coverage heat map.