I recently had a request which had me pulling my hair out (it's not like I have any). The request to dump all of the QRadar rules. Having looked at the "custom_rule" table, I thought I may be able to do this. I then focused in on the "rule_data" field, only to find this information is in a manner which I could not even figure out the best way to parse.
While IBM did not have a way to do this, I was however, pointed to a location which may be helpful ... and it was very helpful. I assume, someone else may have a similar request in the future and thought I should post output here to retrieve a dump of all the rules.
The following commands will dump all rules and building blocks.
psql --username=qradar --no-align --command="SELECT rule_data FROM custom_rule" | grep "^<?xml" | sed --expression 's/<notes\/>/<notes><\/notes>/' --expression='s/.*<name>\(.*\)<\/name><notes>\(.*\)<\/notes>.*/"\1","\2"/' | sort > qradar.rules.csv
P.S. There are now a few other ways of achieving this. Check these links:
https://github.com/NdS-Research-Facilities/QRadar-ruleset
https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.qradar.doc_cloud/c_cmt_import_export_methods.html
https://www.ibm.com/developerworks/community/forums/html/topic?id=ad76e30e-0674-4be7-b376-1b34f9d24ac4&ps=25
https://developer.ibm.com/answers/questions/419663/export-list-of-rules-in-qradar/
For additional information you can visit
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014969023
I tried this and all it exported were the Building Blocks (and a short list of them at that). Any ideas?
ReplyDeleteI have changed the 'grep "^"'. All rule blocks are build within the rule tag
ReplyDeletegrep -Po "<rule.*</rule>"
DeleteAndres,
DeleteCan you repost what you have? I'm looking at redoing this but just cant seem to find the time to pay attention to it.