Wednesday, October 7, 2015

Dumping All QRadar Rules

I recently had a request which had me pulling my hair out (it's not like I have any). The request to dump all of the QRadar rules. Having looked at the "custom_rule" table, I thought I may be able to do this. I then focused in on the "rule_data" field, only to find this information is in a manner which I could not even figure out the best way to parse. 

While IBM did not have a way to do this, I was however, pointed to a location which may be helpful ... and it was very helpful. I assume, someone else may have a similar request in the future and thought I should post output here to retrieve a dump of all the rules.

The following commands will dump all rules and building blocks.

psql --username=qradar --no-align --command="SELECT rule_data FROM custom_rule" | grep "^<?xml" | sed --expression 's/<notes\/>/<notes><\/notes>/' --expression='s/.*<name>\(.*\)<\/name><notes>\(.*\)<\/notes>.*/"\1","\2"/' | sort > qradar.rules.csv

P.S. There are now a few other ways of achieving this. Check these links:

For additional information you can visit


  1. I tried this and all it exported were the Building Blocks (and a short list of them at that). Any ideas?

  2. I have changed the 'grep "^"'. All rule blocks are build within the rule tag

    1. Andres,
      Can you repost what you have? I'm looking at redoing this but just cant seem to find the time to pay attention to it.

  3. There is a Use Case Manager app that allows you to export rules, review active rules, and more. This is default to QRadar and there is no need to look at the custom rules database anymore.