IBM Security QRadar

Hi all,

has anyone tried to migrate rules, BBs (and dependencies) from an All-In-One (Playground) to a distributed (Pre/prod) environment?

Any thoughts on feasibility, what to watch out for (filesystem-level permissions which may be different?) etc. would be greatly appreciated.

There are a few docs available on how this should work (by using the CMT tool etc.), however I`d still like to hear real world experiences... :)

QRadar: How to export current Custom Rules and Building Blocks to a CSV

QRadar: Best practices when using the Content Management Tool to export custom data

Importing content by using the content management script

Many thanks in advance!

Hi Vedran

Jose Bravo has a series of videos on this

https://www.youtube.com/watch?v=MBoaYUZCnZQ

There should be no differebce in filesystem-level permissions.

You may also need to consider any CEP's used in the rules/BB's which are being migrated.

Thanks

Hi all,

has anyone tried to migrate rules, BBs (and dependencies) from an All-In-One (Playground) to a distributed (Pre/prod) environment?

Any thoughts on feasibility, what to watch out for (filesystem-level permissions which may be different?) etc. would be greatly appreciated.

There are a few docs available on how this should work (by using the CMT tool etc.), however I`d still like to hear real world experiences... :)

QRadar: How to export current Custom Rules and Building Blocks to a CSV

QRadar: Best practices when using the Content Management Tool to export custom data

Importing content by using the content management script

Many thanks in advance!

Hi John,

thanks a lot - I'll certainly have a look at Jose's videos!

Meanwhile, while executing the following command: 

./contentManagement.pl --action export -c all

I got dozen of "[INFO] Found a search that is pertaining to the Retention Policy. We currently and temporarily do not support export or import of that content as a better solution from the ground up is scheduled to worked on very soon." errors back.

Any workaround (and/or an explanation) for this?

Thanks again,

kind regards

Hi Vedran

Jose Bravo has a series of videos on this

https://www.youtube.com/watch?v=MBoaYUZCnZQ

There should be no differebce in filesystem-level permissions.

You may also need to consider any CEP's used in the rules/BB's which are being migrated.

Thanks

Hi all,

has anyone tried to migrate rules, BBs (and dependencies) from an All-In-One (Playground) to a distributed (Pre/prod) environment?

Any thoughts on feasibility, what to watch out for (filesystem-level permissions which may be different?) etc. would be greatly appreciated.

There are a few docs available on how this should work (by using the CMT tool etc.), however I`d still like to hear real world experiences... :)

QRadar: How to export current Custom Rules and Building Blocks to a CSV

QRadar: Best practices when using the Content Management Tool to export custom data

Importing content by using the content management script

Many thanks in advance!