Administrators who tune rules or building blocks for administrative tasks often require an updated list of rules that use a specific property. This article contains a step by step of how to find the rules or building blocks used by a property.
- Ssh to the QRadar console by using the CLI.
- Execute the next command to output the names of the rules containing the event or flow property being searched, replace <CEP NAME> with the property name:
psql -U qradar -c "select regexp_matches(rule_data::text,'\<name\>(.*?)\<\/name\>') as Rule_Using_Property from custom_rule where rule_data like '%<CEP NAME>%';"
Review the output of the command. This output contains the names of the rules that are using the property searches from the Postgres command. Find next an output example:Note: If the property name is a substring of another property name, you might get some false positives. For example, if the property Domain is searched it might match results for Web Domain too.
Was this topic helpful?
22 August 2022