How To
Summary
Some users might need to export their full set of Custom Rules and Building Blocks for change management, reporting, or compliance purposes.
Objective
QRadar™ provides two options for exporting the deployment's current Custom Rules and Building Blocks.
Option #1 - Use Case Manager
The QRadar Use Case Manager app, which is installed by default as of version 7.4.1, provides options for generating filtered reports on Rule configuration.
Option #2 - Command line
There is also a support script, /opt/qradar/support/extractRules.py, which exports the entire rule set to a tab-delimited file, which can then be imported into a spreadsheet program of your choosing.
Steps
To export the full Rule set (all Custom Rules and Building Blocks) using extractRules.py:
1. Use SSH to log on to the Console as root user.
2. Use the /opt/qradar/support/extractRules.py script to export your full rule set to a tab-delimited file:
/opt/qradar/support/extractRules.py -o <myOutputFile.tsv>
Note: If a full path is not specified for the output file, the output file is written to the current working directory.Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS004082294","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
01 June 2023
UID
ibm16262413