How To
Summary
Some users might need to export their full set of Custom Rules and Building Blocks for change management, reporting, or compliance purposes.
Objective
QRadar™ provides two options for exporting the deployment's current Custom Rules and Building Blocks.
The QRadar Use Case Manager app, which is installed by default as of version 7.4.1, provides options for generating filtered reports on Rule configuration.
There is also a support script, /opt/qradar/support/extractRules.py, which exports the entire rule set to a tab-delimited file, which can then be imported into a spreadsheet program of your choosing.
Steps
To export the full Rule set (all Custom Rules and Building Blocks) using extractRules.py:
1. Use SSH to log on to the Console as root user.
2. Use the /opt/qradar/support/extractRules.py script to export your full rule set to a tab-delimited file:
/opt/qradar/support/extractRules.py -o <myOutputFile.tsv>
Note: If a full path is not specified for the output file, the output file is written to the current working directory.Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS004082294","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
21 August 2020
UID
ibm16262413