IBM QRadar

 View Only

 Editing long conditions without deleting and recreating them - Property is any of [...]

Daniel Rychlý's profile image
Daniel Rychlý posted Fri October 24, 2025 04:46 AM

Hello,

when working with longer conditions in QRadar in Rules or Log Activity, we think it is pretty annoying that you can not edit longer conditions. You need to delete them and create them again.

For example we have these conditions:
Source Geographic Country/Region is any of [Belgium or Finland or ...] (lots of countries)
Username is any of [Ben or Fin or ...] (lots of usernames)

If we want to add or detele some country or username, only option is to delete whole condition and create it again without or with new username / country.

If there are 10s of values and we need to update them frequently, this might be time consuming.


Do you know about any workaround or possibility how to edit this rules (add or remove values) faster?
Best would be if we could add or remove only specific value, without touching rest of condition.

Thanks,
Daniel Rychlý

Perf1's profile image
Perf1 posted Mon October 27, 2025 09:32 AM

Yes, it is planned to be addressed in a future version of QRadar. Stay tuned.

Jan Luptak's profile image
Jan Luptak posted Mon October 27, 2025 09:38 AM

@perf1 are we talking about 7.5.0 UpdatePackage 14 ?

Juan Paulo's profile image
Juan Paulo posted Mon October 27, 2025 12:08 PM

Hi Daniel if I understand correctly the answer for your question it's either user "Building Blocks" (BB) and/or "Reference Sets", where BB was an older approach to solve this and Reference Sets it's a newer approach.

For example on a search on the Log Activity you can use it like this:


When adding the filter you need to search the parameter "Reference Set", then you search "Data Entry" on this case the user.

On this example my the Reference Set "IT Admins" has two vaules "root" and "admin", and the result it's the following.

For rules you can use the test "when any of these event properties are contained in any of these reference set(s)", something like this:

The reference set management UI it's on the Admin tab. 


Hope that this will help you.

Related Content