How To
Summary
Administrators who tune rules or building blocks for administrative tasks often require an updated list of rules that use a specific property. This article contains a step by step of how to find the rules or building blocks used by a property.
Steps
Use the CLI (Command-Line Interface) to get the rule names.
- Ssh to the QRadar console by using the CLI.
- Execute the next command to output the names of the rules containing the event or flow property being searched, replace <CEP NAME> with the property name:
psql -U qradar -c "select regexp_matches(rule_data::text,'\<name\>(.*?)\<\/name\>') as Rule_Using_Property from custom_rule where rule_data like '%<CEP NAME>%';" -
Review the output of the command. This output contains the names of the rules that are using the property searches from the Postgres command. Find next an output example:
Note: If the property name is a substring of another property name, you might get some false positives. For example, if the property Domain is searched it might match results for Web Domain too.
Result:
Administrators have a list of rules that use a property.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
22 August 2022
UID
ibm16613555