Great tip & trick from QRadar Architect, Jose Bravo.
As you probably know for a QRadar rule to fire, all of its test conditions must be evaluated to true; and as soon as a test condition evaluates to false the evaluation does not proceeds further. So when you have a QRadar rule with 2 or more test conditions, it may take multiple testing to determine which of the conditions is/are evaluating to false. Around Feb 2017 Mutaz created a tool that tells you which conditions are evaluated true or false in any QRadar rule, but the tool did not work on the latest QRadar versions and several users where asking for an updated version.
In my view, when you want to troubleshoot a QRadar rule there is nothing better than QRadar CE 7.3.1 and the updated version of this tool. In this video the tool and other techniques for replaying logs and flows as well as how to migrate rules from CE to a production environment are highlighted in the attached
video. Disclaimer: Please note that this tool is not part of the official QRadar product and therefore it is not supported by IBM.
------------------------------
Wendy Batten, Community Manager
IBM Security
Cambridge MA
------------------------------