IBM Support

QRadar: How to find properties being used in rules or building blocks using the command line

How To


Summary

Administrators who tune rules or building blocks for administrative tasks often require an updated list of rules that use a specific property. This article contains a step by step of how to find the rules or building blocks used by a property.

Steps

Use the CLI (Command-Line Interface) to get the rule names.
  1. Ssh to the QRadar console by using the CLI.
  2. Execute the next command to output the names of the rules containing the event or flow property being searched, replace <CEP NAME> with the property name:
    psql -U qradar -c "select regexp_matches(rule_data::text,'\<name\>(.*?)\<\/name\>') as Rule_Using_Property from custom_rule where rule_data like '%<CEP NAME>%';"
  3. Review the output of the command. This output contains the names of the rules that are using the property searches from the Postgres command. Find next an output example:image-20220817200205-1
    Note: If the property name is a substring of another property name, you might get some false positives. For example, if the property Domain is searched it might match results for Web Domain too.
Result:
Administrators have a list of rules that use a property. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
22 August 2022

UID

ibm16613555