IBM Support

QRadar: How to export current Custom Rules and Building Blocks to a CSV

How To


Summary

Some users might need to export their full set of Custom Rules and Building Blocks for change management, reporting, or compliance purposes.

Objective

QRadar™ provides two options for exporting the deployment's current Custom Rules and Building Blocks.
The QRadar Use Case Manager app, which is installed by default as of version 7.4.1, provides options for generating filtered reports on Rule configuration.
Exporting Rule information to CSV using Use Case Manager
There is also a support script, /opt/qradar/support/extractRules.py, which exports the entire rule set to a tab-delimited file, which can then be imported into a spreadsheet program of your choosing.

Steps

To export the full Rule set (all Custom Rules and Building Blocks) using extractRules.py:
 
1. Use SSH to log on to the Console as root user.
2. Use the /opt/qradar/support/extractRules.py script to export your full rule set to a tab-delimited file:
/opt/qradar/support/extractRules.py -o <myOutputFile.tsv>
Note: If a full path is not specified for the output file, the output file is written to the current working directory.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS004082294","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
21 August 2020

UID

ibm16262413