IBM Security QRadar

 View Only
  • 1.  Automated content pack extension removal

    Posted Tue June 22, 2021 10:13 AM
    I am using QRadar 7.3.3. I had installed a security content pack extension which has custom rules, reference data sets, searches, reports, etc.  While uninstalling it I had chosen 'Remove/Revert all' option and expected that it will completely remove all the objects i.e reference sets, custom rules etc.

    But even after uninstallation I could see that the rules etc are still present and it is just got disabled rather than completely removing it. 

    I searched for any backend command line options to remove those but I could find only for reference data an option to remove from the command line.
    Removing it via UI takes more time and involves manual activity. Is there any automated way to completely remove the content pack extension? 

    Thanks.
     


    ------------------------------
    Chuan Liu
    ------------------------------


  • 2.  RE: Automated content pack extension removal

    IBM Champion
    Posted Fri July 09, 2021 11:52 AM
    Hi
    because of the specific architecture conent packs dont get completely removed from QRadar. This should not hurt your operations however. If you really need to get rid of the extensions being leftover, you have to go back to your latest backup being stored automatically each night. Better approach is to run a CMT export all before installing content extensions and reinstall your old settings after removing the content extension. This will clear up all your objects without side effects. CMT will give you the options to focus on that object types that are affected by your extension, rather than restore everything like restore does.

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------