Easy way to transfer QRadar custom rules from a test box to a production box
von Ralph Belfiore
One of the frequently asked questions that was placed to me during the last weeks was, "how to transfer QRadar custom rules from a test box to a production box"?
To mark this current concern, i want to share one of my apparent favorite secrets of qradar how to achieve this. It's just that easy!
CRE - Rule Testing Order
First of all the challenge is, to develop the custom rule(s) in a test box and consider the tuning options building a custom rule.
It's important to take care of the custom rule testing order to ensure that the new rule(s) do not impact custom rule engine performance.
More information about optimizing custom rules, see also the IBM QRadar Tuning Guide.
Details to find in Chapter 3: https://www.ibm.com/support/knowledgecenter/SS42VS_7.4/com.ibm.qradar.doc/b_qradar_tuning_guide.pdf?view=kc
After testing the rule(s) successfully and finally achieved the expected result, you're ready to transfer the rule or set of rules from test to production.
Methods of importing and exporting content
QRadar provides a cool "out-of-the-box" tool to manage QRadar content called "Content Management Tool".
It's a powerful script with a couple of parameters to export and import content to another deployments. And there are several ways how to do.
Let's say - it depends on the objective target.
Details about to import and export content in your QRadar deployment found here:
The question in advance is the following: do you want to transfer just one rule or do you want to treat the custom set of rules as a package?
In this blog post i just want to focus the additional value of transferring a set of rules as a package.
Why? Because it's that easy and provides some addtional value!
And another advantage is, that all dependencies are included and exported as well with the specified content items.
How to prepare?
You just have to be aware of the powerful QRadar Content Management Tool and the options to go with.
The contentManagement.pl script is located in /opt/qradar/bin.
Step 1: Identify the set of rules and collect the rule ids using the "search option"
Run /opt/qradar/bin/contentManagement.pl -a search -c customrule -r "Name of Rule 1"
As a result you get the id of the rule: for example 107379. Just repeat this step for each custom rule to identify to get the id!
Create a text file
Step 2: Create a text file to sum the ids for the package using for example vim
The content of this file is in this case just the content type identifier customrule, followd by the ids of the rules you want to treat as "package"
Export content as package
Step 3: Build the final package
Run /opt/qradar/bin/contentManagement.pl -a export -c package -f rule_package.txt
As a result you will find the package as a zip file in the directory you've run the command.
Step 4: Install the package in the production box using admin -> extension management
The additional value of a "rule package" is, that it will be added by the extension management process.
This way provides updating and deleting the package content.
A clever & smart way to transfer custom QRadar content from test to production:
- It's all there out-of-the-box
- no magic stuff needed
- ready to use - just need to know :)
#Qradar-Highlights #cmt #bestpractices