IBM Support

QRadar: How to delete rules from the API

How To


Summary

This article contains a step by step of how to delete rules that are no longer needed from the API.

Steps

Notes:
  • These steps require all rules to be moved to a Rule Group before the rules are deleted, so they can be easier to be found.
  • Only users with permissions to edit rule can perform these steps.
How to delete rules by using the API:
  1. Navigate to https://<Console IP>/api_doc and open the Interactive API for Developers.
  2. Go to analytics, select rule_groups
    image 12686
  3. In the right pane, scroll down until the Parameters box is visible, once there, add the following:
    • To the fields text box: name, child_items
    • To the filter text box: name=“<Rule_group>”
    • Leave the range text box blank.image 12687
  4. Click Try it Out! The response is similar to:image 12688
  5. From the output make note of the child_items IDs, these "child_items" are the rules included in that Rule Group.
  6. Go to analytics, select rules and then {id}:
    image 12689
  7. On the right pane, click the red DELETE button at the upper left and scroll down to the Parameters.
  8. In the id text box, paste the child_items IDs, one at the time and click Try it Out!
    Result: 
    The administrators are able to remove rules from the system by using GUI with API.

    Document Location

    Worldwide

    [{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    20 June 2022

    UID

    ibm16595757