IBM Support

QRadar: Rules that contribute to offenses display UNKNOWN RULE NAME



When an offense is opened, the fields for the rules that contribute to the offense might display "UNKNOWN RULE NAME", this name can be misleading and impact on the investigation of the offense.


The next internal message can be seen in the internal logs: 
 [WARN] Unable to retrieve rule name for rule id  [140999] - 
Using [UNKNOWN RULE NAME] as the rule name for offense cre aggregation


The are two common causes for this issue:
  1. There can be an issue with the CRE caching that is being made.

    Whenever the ecs-ep process is restarted, the CRE loads into its cache the rules that are present in the system. Sometimes, due to many rules, it does not load all of them, resulting in the "UNKNOWN RULE NAME" problem.
  2. The second cause can be related to malformed rules, either they are linked to a nonexistent rule or their XML is badly read.

Resolving The Problem

Follow these steps in order to be able to see the rule's name correctly.
Important: Read first the whole article before these steps are applied on a production environment. If there's any doubt or question, contact Support Assistance .
  1. Create a backup for the custom_rule table, the first command creates a folder named IBM_Support, run just the second command if this folder already exists:
    mkdir /store/IBM_Support
    pg_dump -U qradar -t custom_rule > custom_rule.sql
  2. First, search for any malformed rules and delete them.
    psql -U qradar -c "select id from custom_rule where not xml_is_well_formed_document(rule_data::text);"
    This capture shows an example of an output where all the rules were deleted:
    If the output does not return any IDs, proceed with step 4.
  3. If the output returns any IDs, then delete the affected rules. Run the following command for each ID to obtain the rule name, replace 1234 with the ID:
    psql -U qradar -c "select id, regexp_matches(custom_rule.rule_data::text, '<name>(.*?)<\/name>') as rule_name from custom_rule where id=1234;"
    After you obtain the rule name, look it up in the graphical interface, save the rule's criteria in your device or take a screen capture of it, then proceed to delete the rule.
  4. Run again the command on the second step to confirm all the rules are deleted.
    psql -U qradar -c "select id from custom_rule where not xml_is_well_formed_document(rule_data::text);"
  5. Update any left out rules with link_uuid that don't exist.
    Note: Do not edit this command, run it exactly as it is in the next line.
    psql -U qradar -c "update custom_rule set link_uuid = null where link_uuid not in (select uuid from custom_rule );"
  6. Restart ecs-ep and Tomcat with the next command in order for the changes to take effect.
    Note: The restart of these services affects other functionalities such as access to QRadar by using the graphical interface, correlations, searches, offenses creation, and other functionalities. See QRadar: Core services and the impact of restarting services for more information.
    systemctl restart ecs-ep && systemctl restart tomcat

    The new offenses display the correct information regarding to the rules. Old offenses are not updated by these steps.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"TS009939665","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 August 2022