IBM Support

QRadar: Rules, Building Block, or Custom Event Properties (CEP) is not working properly, but cannot be removed from the UI by an administrator.

Troubleshooting


Problem

When a Rule or Building Block cannot be removed from the UI, administrators can use the Application Programming Interface (API) to remove the stuck Rule, Building Block, or Custom Event Property. 

Resolving The Problem

When a Rule, Building Block or Custom Event Property is causing issues, but cannot be deleted from the UI an administrator can use the API. Each endpoint contains the URL of the resource that you want to access and the action that you want to complete on that resource. The action is indicated by the HTTP method of the request: GET, POST, PUT, or DELETE. To delete Rules and Building Blocks you require only the ID. With Custom Event Properties, the identifier is required.  
Before you begin
  • You require a user with Admin credentials to be able to use the Application Programming Interface (API) to delete the Rule, Building Block, or Custom Event Property.
  • You might need an authentication token. 
  • You need to have a configuration backup in case you need to restore the Rule, Building Block, or Custom Event Property at some point.
  • These procedures are for the Interactive API. If an administrator wants to remove Rules, Building Blocks, or Custom Event Properties from the command line they need to use an authentication token that has "User Defined" permissions. If tenancy is involved you need to be part of a security profile attached to the nesessary tenant. 
  1. Log in to the QRadar UI as an admin user. 
  2. On the navigation menu ( Navigation menu icon ), click Interactive API for Developers.

Rules

  • Locating the Rule ID
    1. Expand Analytics.
    2. Click rules.
      image-20230315144548-1
    3. Under Parameters enter the full name of Rule the filter box. 
    4. Clear value items=0-49 from the Range text box.
      image-20230314130547-1
    5. Click Try It Out.
    6. In the Response Body, look for the name of the rule. 
      In this example, the rule name is "Test Rule".
      [
        {
          "owner": "admin",
          "identifier": "e8b830c7-dc35-4ebc-9947-8f460716e695",
          "base_host_id": null,
          "capacity_timestamp": null,
          "origin": "USER",
          "creation_date": 1678812131889,
          "type": "EVENT",
          "enabled": true,
          "modification_date": 1678812131852,
          "linked_rule_identifier": null,
          "name": "Test Rule",
          "average_capacity": null,
          "id": 102339,
          "base_capacity": null
        }
      ]
      Results 
      From the example, the rule name is "Test Rule" and the ID is 102339.

  • Deleting the Rule
    1. Click {id}
      image-20230315105543-1
    2. Click Delete.
    3.  Scroll to Parameters.
    4. In the id field, enter the rule id from the section locating the Rule ID.
      image-20230314130328-1
    5. Click Try It Out.
    6. Scroll to Response Body.
      {
        "created_by": "admin",
        "created": 1678813635145,
        "name": "Rule Deletion Task",
        "modified": 1678813635209,
        "started": null,
        "completed": null,
        "id": 688,
        "message": "Queued Rule Deletion of Rule 102339.",
        "status": "QUEUED"
      }
    7. To verify that the rule is deleted, you can look in /var/log/qradar.log for the deleted rule by using the command:
      less /var/log/qradar.log |grep "<Rule Name>"
      [tomcat.tomcat] [pool-1-thread-3] com.q1labs.core.api.impl.customrule.tasks.
      DeleteCustomRuleTask: [INFO] [NOT:0000006000][<IP_address>/- -] [-/- -]admin has 
      deleted rule: 'Test Rule' with id: 102339
      Results
      The rule is deleted from the API.

Building Blocks

  • Locating the Building Block ID
    1. Expand Analytics.
    2. Click building_blocks. 
      image-20230313144319-6
    3. Under Parameters enter the full name of Building Block in the filter box. 
    4. Clear items=0-49 from Value for Range..
      image-20230314132807-1
    5. Click Try It Out.
    6. In the Response Body, look for the name of the building block. 
      In this example, the rule name is "Test Building Block".
       {
          "owner": "admin",
          "identifier": "8d1a0a86-979a-4e97-ad5d-d8d93ad767bd",
          "base_host_id": null,
          "capacity_timestamp": null,
          "origin": "USER",
          "creation_date": 1678733370957,
          "type": "EVENT",
          "enabled": true,
          "modification_date": 1678733370872,
          "linked_rule_identifier": null,
          "name": "Test Building Block",
          "average_capacity": null,
          "id": 102289,
          "base_capacity": null
        }
      Results 
      From the example, the Building Block name is "Test Building Block" and the id is 102289.

  • Deleting the Building Block
    1. Click {id}
    2. Click Delete.
      image-20230313150247-8
    3.  Scroll to Parameters.
    4. In the id field, enter the id from the section locating the Building Block ID.
      image-20230313150555-9
    5. Click Try It Out.
    6. Scroll to Response Body.
      image-20230313151101-11
    7. To verify that the Building Block is deleted, you can look in /var/log/qradar.log for 
      the deleted rule by using the command:
      less /var/log/qradar.log |grep "<Building Block Name>"
      [tomcat.tomcat] [pool-1-thread-5] com.q1labs.core.api.impl.customrule.tasks.
      DeleteCustomRuleTask: [INFO] [NOT:0000006000][<IP_address>/- -] [-/- -]admin
      has deleted rule: 'Test Building Block' with id: 102289
      

      Results
      The building block is deleted by the API.

Custom Event Property

The procedure that is being used was tested on regex-based CEPs. The "regex_properties" endpoint is where you search and delete any noncalculated property. This includes AQL, LEEF, JSON, regex, NVP.  The associated "expressions" endpoints detail the contents of the CEPs, such as the JSON key path, Low-Level Category, and QID assigned to it. Calculated properties are ones that pick a field such as "Source IP" and have an operator and a value, such as EQUALS, or DOES NOT EQUAL, or GREATER THAN.
 

  • Locating the Custom Event Property (CEP) ID
    1. Expand config.
    2. Expand event_sources.
    3. Click regex_properties.
      image-20230313160440-1
    4. Under Parameters enter the full CEP name in the filter box.
    5. Clear value items=0-49 from the Range text box.
      image-20230314133927-1
    6. Click Try It Out.
    7. In the Response Body, look for the name of the Custom Event Property. 
      In this example, the rule name is "Test CEP".
        {
          "identifier": "69514b35-2eb7-4dc7-b1f3-50d24aa9a629",
          "modification_date": 1678736667115,
          "datetime_format": "",
          "property_type": "string",
          "name": "Test CEP",
          "auto_discovered": false,
          "description": "",
          "id": 260,
          "use_for_rule_engine": false,
          "creation_date": 1678736667114,
          "locale": "en-US",
          "username": "admin"
        },
      
      Results 
      From the example, the Custom Event Property name is "Test CEP" and the id is 260 and the identifier is 69514b35-2eb7-4dc7-b1f3-50d24aa9a629.

  • Deleting the Custom Event Property
    1. Expand regex_properties.
    2. Click {regex_properties_id}.
    3. Click Delete.
      image-20230314074848-1
    4.  Scroll to Parameters.
    5. In the regex_property_id field, enter the identifier from the section locating the Custom Event Property.
      image-20230314134140-2
    6. Click Try It Out.
    7. Scroll to response Body.
      image-20230314134230-3
    8. To verify that the Custom Event Property is deleted, you can look in /var/log/qradar.log for the deleted Custom Event Property by using the command:
      less /var/log/qradar.log |grep "<CEP Name>"
      [tomcat.tomcat] [pool-1-thread-9] com.q1labs.core.api.impl.customproperties.tasks.
      DeleteRegexPropertyTask: [INFO] [NOT:0000006000][<IP_address>/- -] [-/- -]
      admin has deleted event Regex Property: 'Test CEP' corresponding with id: 
      69514b35-2eb7-4dc7-b1f3-50d24aa9a629
      
      
      
      Note: If the Custom Event Property is used in a rules, forwarding profiles, or searches administrators can see a similar response body.
      {
        "created_by": "admin",
        "created": 1680119430885,
        "name": "Event Regex Property Deletion Task",
        "modified": 1680119431336,
        "started": null,
        "completed": null,
        "id": 1175,
        "message": "Searching for items that depend on the Event Regex Property.",
        "status": "QUEUED"
      }

      Results
      The Custom Event Property is deleted from the API when it is not associated with a Rule, Building Block or search. 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"},{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3;7.5.0"}]

Document Information

Modified date:
31 March 2023

UID

ibm16962119